Seagate sued by own staff after executive falls for phishing scam
Following the leakage of personal information by the HR department, staff at Seagate is now suing its own company.
Earlier this year, a senior HR executive at Seagate fell for a phishing scam, which resulted in thousands of employees’ tax information being exposed. The employee was fooled into giving away personally identifiable information (PII) of 10,000 past and current employees and W-2 forms that include their Social Security numbers along with their wage, salary and tax information to the scammers who posed as the CEO Stephen Luczo of the company.
Seagate was accused of malpractice and a lack of regard for employees through negligent data management in a class-action lawsuit filed at Northern California District Court back in July.
The suit suggested that Seagate engaged in “unfair” business practices and that in many cases the partners and families of employees were directly affected by the leak.
“In order for the cyber criminals to have obtained employees’ spouses’ Social Security numbers, Seagate would have had to have disclosed more than just the Form W-2 data for employees,” said the complaint.
“Seagate would have to have disclosed additional information, such as retirement fund or insurance beneficiary that contained the personally identifiable information of third parties.”
The lawsuit claims that the data thieves are already using the stolen details to their own evil ends, and indeed alleges that the criminals began to exploit the data “almost immediately” after the phishing attack happened, filing fraudulent tax returns in the names of some staff members.
“No one can know what else the cybercriminals will do with the employees’ and third-party victims’ personally identifiable information. However, the employees and third-party victims are now, and for the rest of their lives will be, at a heightened risk of identity theft,” the lawsuit alleges.
Seagate informed staff members of the data breach three days after the event, but several of them did not receive any sort of warning until a week later, by which point many had “already [become] the victims of identity theft.”
The lawsuit added, “Many employees and third-party victims have already suffered out-of-pocket costs attempting to rectify fraudulent tax returns and engaging services to monitor and protect their identity and credit.”
On the other hand, Seagate is disputing the claim and wants the case to be thrown out.
Seagate has said that the case should be dismissed on the grounds that it cannot be held responsible for the actions of the criminals who carried out the phishing attacks.
“Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals,” Seagate claims.
“But Plaintiffs cannot state a claim based solely on the allegation that an unfortunate, unforeseen event occurred. They must actually allege facts that show they are entitled to relief from Seagate.”