Storage manufacturer Seagate is facing a class-action lawsuit brought against it by the company’s own employees. It comes after a senior HR executive was tricked into handed over workers’ personal information in a phishing scam.
Back in March, cybercriminals sent an email to Seagate HR that appeared to originate from company CEO Stephen Luczo. It requested copies of employees’ 2015 W-2 tax forms and other personally identifiable information, which were duly handed over. The documents contained names, social security numbers, income figures and home addresses – a trove of valuable data for identity theft fraudsters.
Nearly 10,000 current and past employee details were sent to the scammers, along with those of any family members and beneficiaries named in the documents.
As noted by The Register, employees filed the lawsuit against Seagate in July, accusing the firm of malpractice and a lack of regard for employees through negligent data management. The suit claims the information was “almost immediately” used to file fraudulent tax forms and for other methods of ID theft.
"In order for the cyber criminals to have obtained employees' spouses' Social Security numbers, Seagate would have had to have disclosed more than just the Form W-2 data for employees," states the complaint.
"Seagate would have to have disclosed additional information, such as retirement fund or insurance beneficiary, that contained the personally identifiable information of third parties."
The lawsuit is requesting a trial by jury for damages and out-of-pocket expenses for employees and third-party victims. Seagate wants the complaint dismissed and has said it’s up to the complainants to prove the company’s negligence. But in an email to employees on March 4, the firm’s CTO allegedly took responsibility for the leak, writing that it “was caused by human error and lack of vigilance, and could have been prevented."
Seagate claims that: "Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals. But Plaintiffs cannot state a claim based solely on the allegation that an unfortunate, unforeseen event occurred. They must actually allege facts that show they are entitled to relief from Seagate."