Storage device manufacturer Seagate's executives informed employees last week that their income tax data had been shared with an unknown outside party as the result of a targeted phishing attack. On March 1, a Seagate employee sent the data to an outside e-mail address after receiving an e-mail purportedly from Seagate's CEO Stephen Luczo requesting 2015 W-2 data for current and former Seagate employees. The employee, believing the request to be real, forwarded the W-2 reporting data—exposing everyone at Seagate to potential tax fraud and identity theft.
The Seagate breach comes less than a week after Snapchat employees' data was leaked in the same way. Security reporter Brian Krebs reported the breach after learning of it from a Seagate employee who had been given written notification of the breach.
Seagate's spokesperson Eric DeRitis confirmed the incident to Krebs: "On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former US-based employees was sent to an unauthorized third party in response to the phishing e-mail scam. The information was sent by an employee who believed the phishing e-mail was a legitimate internal company request.” DeRitis told Krebs "several thousand" employees were affected and that the company is working with federal law enforcement; employees will receive two years of credit protection from the company.