The W-2 tax documents of several thousand current and former employees of data storage company Seagate ended up in the hands of fraudsters after an employee fell victim to a phishing attack.
Seagate confirmed to SecurityWeek that the 2015 W-2 tax form information for current and former employees based in the United States was sent to an “unauthorized party” in response to a phishing scam. The company noted that only tax information for the year 2015 was exposed in the breach that came to light on March 1.
“The information was sent by an employee who believed the phishing email was a legitimate internal company request. When we learned of the incident, we immediately notified the IRS which is now actively investigating it along with federal law enforcement,” Seagate spokesman Eric DeRitis said in an emailed statement. “At this point we have no information to suggest that employee data has been misused, but caution and vigilance are in order. We deeply regret this mistake and we offer our sincerest apologies to everyone affected.”
DeRitis said the exact number of affected employees has only been shared with the IRS and federal authorities. “It’s accurate to say several thousand, but it is less than 10,000 by a decent amount,” he told SecurityWeek.
The incident was first reported by security blogger Brian Krebs who learned about the incident from a former Seagate employee.
Seagate claims it’s in the process of making changes to prevent future incidents. In the meantime, the company will cover the costs of a two-year Experian ProtectMyID membership for affected employees.
W-2 forms, which show the amount of taxes withheld from an employee’s paycheck, are used to file federal and state taxes. These documents include social security numbers and other personal details, which can be leveraged by malicious actors to file fraudulent tax returns with the IRS.
It’s not uncommon for such information to be abused by fraudsters. The tax agency reported last month that cybercrooks had used stolen SSNs to generate over 100,000 PINs on the IRS’s Electronic Filing PIN application.
SSNs and other information was also used last year to target the IRS’s “Get Transcript” application. The agency revealed last week that the incident affected more than 700,000 taxpayers.
Business email compromise (BEC) scams, such as the one targeted at Seagate, are also increasingly common. Aircraft parts manufacturer FACC AG revealed in January that cybercriminals managed to steal $54 million in a scheme targeting the company’s finance department.
“Phishing scams are increasingly more sophisticated and convincing, and today’s news is a great example of how difficult it can be to avoid such targeted schemes. In this case, it appears that electronic digital rights management could have helped maintain data privacy,” Scott Gordon, COO of file security company FinalCode, told SecurityWeek. “Using the proper controls for data access and encryption would ensure that the file owner – in this case Seagate –maintains control of the data, even after it was mistakenly sent. Certainly, the capability to remotely delete the files after they were sent would have been very useful too.”
Related Reading: Social Engineering – How an Email Becomes a Cyber Threat

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
- Many Vulnerabilities Found in PrinterLogic Enterprise Software
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
