Seagate Technology: Phishing cyberattack leaves thousands of employee tax records exposed

Seagate Technology, the California-based data storage giant, has suffered a phishing attack that compromised thousands of tax documents from current and past US-based employees – leaving sensitive information such as Social Security Numbers, salaries and other personal data exposed.

According to Seagate, as reported by security researcher Brian Krebs, the cyberattack took the form of a phishing scam directed at the company's finance and human resources teams. The malicious email was spoofed to appear like it was sent from the firm's CEO and openly requested all employee tax documents.

"On 1 March , Seagate Technology learned that the 2015 W-2 tax form information for current and former US-based employees was sent to an unauthorised third party in response to the phishing email scam," confirmed Seagate spokesman Eric DeRitis. "The information was sent by an employee who believed the phishing email was a legitimate internal company request."

"When we learned about it, we immediately notified federal authorities who are now actively investigating it. We deeply regret this mistake and we offer our sincerest apologies to everyone affected. Seagate is aggressively analysing where process changes are needed and we will implement those changes as quickly as we can."

While DeRitis would not confirm the exact number of how many employees were impacted because of the ongoing federal investigation, he added: "It's accurate to say several thousand. But less than 10,000 by a good amount."

Now, fears are growing the data could be used to file phoney tax refund requests with the Internal Revenue Service (IRS) – which has been having its own mounting problems with hackers and cybercriminals. It was recently revealed that the IRS received more than 490,000 identity theft complaints in 2015, which was nearly a 50 percent jump from 2014.

Additionally, fallout from the IRS cyberattack that occurred in May last year continues to expand, as it was recently revealed to have hit twice as many US taxpayers than previously reported.

When the incident was first revealed, the IRS said tax return details of just over 100,000 US-based taxpayers had potentially been compromised but three months later that number had rocketed to include another 220,000 known breaches and over 170,000 failed hacking attempts. Then, most recently, a nine-month investigation by the Treasury Inspector General for Tax Administration found an additional 390,000 accounts were potentially exploited by the unknown hackers.

Phishing for trouble

Seagate, which develops high-profile hard drives and data storage technology, is the latest in a long line of firms hit with phishing-style cyberattacks which are frequently deployed by hackers in a targeted manner using personal data acquired from sources like social media accounts or company profiles to help craft emails that appear genuine.

The same tactic was recently used to compromise sensitive payroll data from popular messaging platform Snapchat after a member of staff fell victim to an email impersonating the company's chief executive Evan Spiegel. Meanwhile, FACC, an aerospace manufacturer that supplies engine and interior parts for the likes of Airbus and Boeing was hit earlier this year with a suspected phishing scam that resulted in the loss of $55m (€50m, £38m) from the company's accounts.