06
Mar 16

Seagate Phish Exposes All Employee W-2’s

Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.

Seagate headquarters in Cupertino, Calif. Image: Wikipedia

Seagate headquarters in Cupertino, Calif. Image: Wikipedia

According to Seagate, the scam struck on March 1, about a week after KrebsOnSecurity warned readers to be on the lookout for email phishing scams directed at finance and HR personnel that spoof a letter from the organization’s CEO requesting all employee W-2 forms.

KrebsOnSecurity first learned of this incident from a former Seagate employee who received a written notice from the company. Seagate spokesman Eric DeRitis confirmed that the notice was, unfortunately, all too real.

“On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam,” DeRitis said. “The information was sent by an employee who believed the phishing email was a legitimate internal company request.”

DeRitis continued:

“When we learned about it, we immediately notified federal authorities who are now actively investigating it. We deeply regret this mistake and we offer our sincerest apologies to everyone affected. Seagate is aggressively analyzing where process changes are needed and we will implement those changes as quickly as we can.”

Asked via email how many former and current employees may have been impacted, DeRitis declined to be specific.

“We’re not giving that out publicly — only to federal law enforcement,” he said. “It’s accurate to say several thousand. But less 10,000 by a good amount.”

Naturally, Seagate is offering affected employees at least two-years’ membership to Experian’s ProtectMyID service, paid for by the company. Too bad having credit monitoring through Experian won’t protect employees from the real threat here — tax refund fraud.

As I noted in last month’s warning about W-2 phishing, fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Indeed, scam artists involved in refund fraud stole W-2 information on more than 330,000 people last year directly from the Web site of the Internal Revenue Service (IRS). Scammers last year also massively phished online payroll management account credentials used by corporate HR professionals.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints last year. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache.

Update, March 7, 12:36 p.m. ET: Several readers have forwarded news reports about other companies similarly victimized in W-2 phishing scams, including mobile communications firm Snapchat and GCI, an Alaskan ISP and telecom provider that handed thieves some 2,500 employee W-2’s.

Tags: , , , , , ,

71 comments

  1. David Litman - wargames.com

    Brfian Krebs for President 2016

  2. Richard Kellogg

    If a thief has enough personal info to file a false tax return, don’t they also have enough to file an amendment (i.e. 1040X)? How can we prevent that?

    • Richard,
      Why would they want to file an amended return? If they file early enough, they can file the regular 1040 and have a good chance of getting away with the fraud. If they file an amended return shortly after April 18 this year, they run the risk of the IRS having the W-2s and other forms from employers and financial institutions to catch the fraudulent amended return.

    • As we have discovered here, you can call the IRS to report the theft of your W2 information, then back that up by downloading and sending the IRS a form 14039. Then the IRS will send you a PIN to use to file your taxes with, as well as check with you if any changes are requested to your account.

  3. I am amazed, but probably shouldn’t be, that in this day and age, companies still use the wide open, totally insecure internet for private and sensitive company emails. It is not a big deal to set up an internal, secure email system in a company, especially a large one with substantial resources. In my view, laws should be passed to severely punish companies which, through their own negligence, have put employees, customers, and others at significant risk for identity theft, financial loss, or inconvenience (as when you have to make yourself right after the malsters have done you in, and it’s not your fault). Such laws, with large financial consequences, should help persuade companies to install appropriate safeguards. Carrots haven’t worked (there aren’t any, actually), it’s time for the stick.

    • Bill

      pls read the recent statement made by CA AG Kamala Harris

      California Attorney General Concludes that Failing to Implement the Center for Internet Security’s (CIS) Critical Security Controls ‘Constitutes a Lack of Reasonable Security’

      warm regards
      Kathy

      • Has any organization completely implemented the “Critical Security Controls”? It’s all well and good for two organizations that don’t have to implement anything to say it is required. It’s a very different thing to actually do it.

    • And before that, the wide open, totally insecure US mail system. A certain senator from Texas and candidate to become POTUS advocates submitting tax returns on a postcard.

  4. Someone at those large corporations needs to realize that they have to mandate computer security training for their employees who deal with people’s sensitive information. How many of those breaches do we have to live through to realize that? Or maybe Congress needs to pass a regulatory law imposing one hefty fine on any corporation that breaches such informations.

  5. Someone at those large corporations needs to realize that they have to mandate computer security training for their employees who deal with people’s sensitive information. How many of those breaches do we have to live through to realize that? Or maybe Congress needs to pass a regulatory law imposing one hefty fine on any corporation that breaches such informations.

    • they probably had the training; but a gap in applying the training to the real world.

    • Software programmers aren’t helping things with the gimmicks they keep adding to email clients and hiding information.

      My att.net account is handled by Yahoo, which when using webmail to access, shows only html-formatted content. I cannot figure out how to easily see the bare text of the html within an email. I don’t want to have to look at the source because the information I want is buried.

  6. what a FUBAR all of this is becoming. It’s like prevention fuels the fire and fans the flame. I believe there is a way to capture audit trails and trap the fraudulent filers (dump data) once the transmission is sent and received into a honeycomb db.

    I don’t know, my old brain tells me that the IRS would setup sting kiosk that would confirm fraud from non-fraud filings. How people ask? 2 or 3-step authentication, or assign keyfob authentication that is setup directly between an IRS member and “legitimate” taxpayer.

    With current biocentric security measures, no fraud should be happening with an authenticated tax payer receiving a refund from a due-diligence in the governement run IRS.

    • You haven’t been in a government building to do something lately, have you?

      I am not for smaller government, but there is absolutely a reson why people don’t trust government. It’s because they can’t find their own @sses with two hands, a flash light and illustrated instructions. There is NOTHING there that moves quickly, efficiently or well, except possibly the NSA. But they won’t tell.

      • This story is about a business mistake that led to the unauthorized release of employee information. It appears the inability to find one’s butt with one’s hand is not limited to government organizations. The reason is that everyone makes mistakes. Your irrational hatred of government has blinded you to simple truths.

        • Irrational? Slavery, separate but equal, internment camps, weapons of mass destruction, Patriot Act, selling weapons to the drug cartel and many more. The government including the IRS has done it’s part many times in giving away confidential data to the miscreants. Paul’s irrational distrust or your blinders, hmm.

      • Paul, why on earth are you NOT for smaller government??? Good Grief.

    • It’s the most wonderful time of the year. With the kids jingle belling. And everyone telling you “Be of good cheer” It’s the most wonderful time of the year.

      wow, who didn’t see this coming?

      Seagate perhaps.

      AW

      trust nothing

  7. I worked with 2 non profits who received emails from individuals claiming the be the ED for each Org. They were caught by vigilent employees.

  8. This really doesn’t sound like it should be a ‘thing’. I’m from the UK, so not familiar with US processes, but I can’t believe this is insoluble.

    When the IRS refunds, is it a bank transfer? How about making the changing of bank details take a month, with a validation letter of some sort, to buy time? Or not making a transfer more than once into any bank account number. How about the account name and number have to match? Do they send cheques? How about making them payee only? It’s not, I presume, as if they run down to Western Union with s handful of cash to transfer. I just can’t see how this isn’t solved with some fairly simple and conservative measures

    • The major problem here is a requirement passed by Congress that the IRS process tax refunds promptly (with a financial penalty for failing to do so).

      Unfriendly, promptly can be before the IRS has access to the documents in order to verify things.

      Delaying refunds is politically unpopular. Although, at this point, Congress just *is* unpopular, so perhaps it wouldn’t matter. However, worse than being unpopular, Congress is also mostly dysfunctional and obstructionist.

      Yes, adding in delays would help immensely, but, not entirely. You can file tax returns years after the fact, and if the government owes you money, there’s nothing wrong with doing so. (You have to pay interest and penalties if you owe taxes….)

      Generally, refunds are sent to banks, but there are lots of banks, there are privacy laws, and a bank account really is just a number. People’s names can change, or be disconnected from their refund.

    • Cliff,

      Part of the problem is the fact that there are millions of taxpayers in the U.S. that don’t have bank accounts and a non-trivial number of those can’t get bank accounts.
      Another problem is that due to refund delays in the past, the law requires that refunds be issued within a certain number of days after the filing of the tax return. There are exceptions to this in the law, but they don’t affect many people. Related to this, is the fact that in most cases, the deadline for issuing a refund is prior to the deadline for employers and other entities to submit tax and payroll info to the government.

    • Seagate almost certainly has DirectDeposit. They could send that list to the IRS and tax returns are only allowed for those employees to those accounts.
      If employees want it sent to another account, give them a week or two to add that as an optional account in DirectDeposit so it is included in the list sent to the IRS.
      May not be time for the IRS to get it in place in time for Seagate, but …

    • So the main problem is political, them. Some politicians used it as a point-scoring thing and created loopholes where things cannot be checked in an appropriate manner in time. Makes sense, I’m sure your IRS guys aren’t complete idiots, but I’ve less faith in politicians looking at your current line-up. Ay least I have a picture of why one of the best funded wings of one of the best funded governments in the world can’t manage a system that’s had since the birth of the country to evolve, already based on a functional older system.

      My approach, automated the compliant cases where there were no changes of circumstance (same name, address, bank details) which will be 90%+ then work harder on the edge cases. Change of address or bank requires a PIN sent by mail, say, or requires a failover to a paper-based submission which seemed to work fine for centuries. Operated in good faith, this will delay things by a week or two, but a postal/paper isn’t fast.

      I’m fond of Americans, with all your engineering prowess, wealthy agencies and mostly honest population, you deserve better than for this to be a thing I hear about 3000 miles away *every year*.

  9. Being a hard drive manufacturer means never having to delete anything, ever.

    • Actually, if you don’t have a retention policy (i.e. rules about when you should delete something), you expose your company to more risk from things like an attacker, and more costs in a litigation, etc.

      So yes, while they do make hard drives and could add more if they ever got low on space, I’m also sure they DO delete things.

      And more than likely, they purchase something like a netapp NAS anyway for network storage, rather than randomly hooking in a Seagate hard drive into a computer or server.

      • The funniest part about this story is that Seagate builds large storage systems for OEMs and the government and boasts about the security of their products

  10. @Cliff:
    Normally the IRS makes refunds to individual taxpayers by cheque.
    As you note, the problem is not insoluble. A primary issue is that the IRS only begins matching W-2s to 1040 individual returns starting in July. Since the due date for individual tax returns is generally April 15, many/ most refunds have already been made, i.e., the tax season is over.
    The GAO (Government Accounting Office) recommended in 2014 that the IRS begin the matching process earlier than July, that employers submit electronic W-2s filings earlier (due March 29, 2016 for 2015 W-2s) and that more employers be required to e-file W-2s. From available information, it appears that none of these recommendations have been implemented.

  11. Due dates for W-2 are set by law. They were 2/28 for paper filed and 3/31 for efiled W-2s. The law was just changed to require a 1/31 filing date beginning in 2017 for 2016 W2s.

    Also, the IRS will be testing via a pilot program, printing a verification number on Forms W2. This will likely be required to included in the efiled tax return.

    As for verifying bank accounts, don’t forget that a substantial minority of the population do not have bank accounts, or only have them from time-to-time. This is typically the same minority that is target market for tax refund loans.

  12. I know Krebs has mentioned this before but IT security is a thankless job. I warn all my people about these scams and about 5% appreciate it while the other 95% practically laugh in your face.

    The bigger issue here isn’t scammers/phishing, they will be around forverer… its the attitude of the baby boomers up about computer security in general, when they don’t understand, they mock you. Its sad but true.

  13. There is nothing new under the sun. Lowest common denominators rule again or should I say ruin again.

  14. The biggest issue here is the humans beings who no matter how much training, emails, and scams in the news just keep falling for this. I’ve been a security professional for well over 15 years and it has not changed in the slightest regardless of the program. The only time you see a change in attitude is when someone approaches you asking for advice because they just screwed up and became a victim. The red tape and annoyance from being in that situation usually changes their perspective very quickly.

    • Along with the, “I read it on the internet so it must be true!” mentality we also have the, “I received an email and I must do what it instructs me to do!”. And it works even better if those instructions appear to come from on high, like from a C level manager, because it has been drilled in us from an early age that we disobey authority at our own peril.

      There was a famous psychological experiment in the U.S. where test subjects willingly gave what they thought were real electric shocks to another person because they were ordered to do so by a man wearing a white coat.

  15. I work at a bank that monitors all e-mails and blocks any with personal info from being sent outside the organization – unless sent secure. A co-worker had her taxes done by her son – who accidentally sent the copies to her work e-mail. She tried to forward home, but it was blocked because it contained her SS#.

    This type of security would prevent the info from being sent outside the company accidentally. I wish I could feel safer about the secure e-mail, but even I – with my very limited knowledge of programing – can think of ways a thief could work bypass that without much effort. However, a case like this would have blocked it from going outside the company.

    • Would that software pick up that info in image or pdf format, since it was scanned in W-2’s that were sent? (or at least were in the example I saw that had hooked another company)?

      • It does for a pdf – the tax return copies of my co-worker was a pdf.
        I also know it will review and stop other attachments. I don’t know about photo attachments.

        • The Data Loss Prevention system we installed at the bank I work for does OCR scanning so yes, it can detect sensitive information in images. Which is good because many multi-function scanners simply put an image of the document into a PDF format.

          We also have it set to look for the phrasing used on forms like W-2’s and others and will stop those as well. Even if someone tries to send it “secure”, we will stop it if it seems to contain too many numbers. “Too many” is usually more than a few to other than a known destination like a 401(k) provider or too many going out even one at a time.

  16. I want to know about the employee who fell for the phishing scam … terminated? Should be at least some HR action …

    • I hope not. This is a failure of not one person, but a failure of company policy which includes security training.

    • HR usually includes the payroll personnel. I know it’s just anecdotal on my part, but of all the HR/payroll people I know personally and professionally, the majority have difficulty wrapping their heads around ID theft. The security training does need to be company policy – because policy is one thing that HR follows WELL, even if they don’t understand the “why” behind it.

  17. Search for and punish the guilty? Yes, individually and corporately. But then take on the task of prevention. Much harder, I think.

    • Problem with all of this- where ever it has happened and where ever it will happen again, there is little employee documentation about the issue(s).

      If a person feels they are going to be called out or fired, they simply quit and move onto another organization. Then they were never counseled on the company’s behalf, never been fired, so in a sense they can answer “No” to most of hose questions if they exist on the new employers application.

      When another firm calls about the ex-employee, the communication about the performance of the individual is very limited in what you can say. So, this person may end up at another organization and potentially could do the same sort of knee-jerk reaction again without anyone being the wiser.

      If there was some sort of indication that this person was part of a mishap, then these people could be properly indoctrinated or, given limited access to vital files.

      Mistakes and Insider threats can be documented this way. How to make an accurate and trustworthy system could save companies billions, but if it is profits they have to spend, it would rather be in a reactive state that a proactive one.

  18. Think of this, Why on earth would the CEO EVER need something this massive? You think the CEO is ever going to do his own research? He has people he can task to do this.

    Obviously any security awareness training that was given was worthless, or the person involved in giving this data away without question, at a minimum needs a whole bunch of training. Knee-jerking at any demand when a whole boatload of PII paperwork is involved without consenting HR, legal or other resources is just plain lazy and irresponsible.

    A phone call could have saved embarrassment. Even if it was legit and requested a slight butt-chewing for questioning the request would have show some one was doing so due care/ due diligence on the matter.

  19. You know call me crazy…but is it too hard to implement a control here like 2 man rule or something? ya know, when sending (or granting access) to every W-2 of every employee to an external party.

  20. How many more such breaches of critical HR information will it take for someone to figure out how to put HR data troves under dual, or triple, locks to make it idiot-proof ? i.e. a single person not able to access this data for retrieval.

  21. I hope this employee was given walking papers already. How can one employee be granted this much clout to share everyone’s personal information like this. It’s absolutely tragic. No checks and balances at Seagate? I’ve heard terrible stories about their management and HR depts so I guess it’s true. Poor employees. I wish them all the best in staying on top of this situation. Seagate should be paying for their surface for a lot longer than two years.

  22. same thing happened to my company, same time frame too, at Pharmaca Integratice Pharmacy. 800 employees W2’s were sent to this person posing as an corporate employee. sucks to have to go through this

  23. Someone’s gonna kiss the donkey … I’d have to say, if I was Seagate employee and found out exactly who hit the SEND button, wouldn’t care who it was … they’d get to experience rage in the workplace upfront and personal. LOL

  24. These comments show why the immature, crappy, little, INFOSEC occupation will never go anywhere or be taken seriously.
    You all sound like little spoiled children. No wonder your businesses never listen to you.
    Enjoy siting at the little kids table l0s3rs.

  25. What the **** ever happened to thinking? My God, is being clueless now a job requirement? I don’t think and make a mistake, I get crucified without nails. Why didn’t that horse’s backend of an employee ask his/her supervisor or at least inform him or her of what the email’s contents.

  26. I’ve got to side with those calling out the lack of thinking on the part of the employee that allowed the FTI to get loose.

    A request of this nature should have set off alarms in the mind of the person receiving it, and at the very least, a phone call to verify the request should have been in order.

    Even social engineering is avoidable with a little bit of common sense… although, as ‘Old School’ pointed out, it seems nowadays like being clueless *is* a job requirement… or maybe a cultural or life-requirement of some kind. Is this the affect of the reality TV generation? Whiskey Tango Foxtrot!?!

  27. Our HR Manager got this, “from” our Managing Partner. Fortunately she saw it for what it was.

  28. My boyfriends company in Florida received one of these emails today. It stated that he wanted copies of all employee 2015 documents by the end of rhe day today. He is the CEO of a small to mid-size company. They used his email address with his name and included his middle initial in the signature. The HR person that received the email was smart enough to question it because he doesn’t use his middle initial in his email signature. She didn’t send the requested information to the creeps.

  29. Doesn’t anyone in IT/security at Seagate read Brian’s blog?
    If someone does, then why wasn’t there a memo sent to all people who have access to the kind of information we are discussing, such as “people, be aware that this kind of a scam is spreading …”?

  30. This happened to Acronis as well. My information was sent out a few weeks back. Thankfully I have already filed my taxes, but am taking the necessary precautions with protecting my ID and possible fraudulent tax filings.