Seagate is trying to fend off a lawsuit brought against the company by its own employees after falling for a phishing scam which exposed the sensitive data of staff.
The electronics maker is the focus of a class-action lawsuit, originally filed in July through the Northern California District Court, which accuses Seagate of malpractice and a lack of regard for employees affected by the negligent handling of data.
In March this year, Seagate HR was duped into handing over W-2 forms and the personally identifiable information (PII) of the company’s current and past employees.
These documents are used by the IRS to calculate tax and contain Social Security numbers, wage and salary information, tax already paid and other valuable information which can be used by scammers to commit identity fraud.
The operators behind the phishing campaign pretended to be Seagate CEO Stephen Luczo while requesting the 2015 forms, which were then willingly handed over by an unsuspecting member of human resources.
It is believed that data belonging to roughly 10,000 current and past employees’ data was exposed — as well as anyone named in the W-2 documents, such as family members or beneficiaries.
As noted by The Register, the lawsuit (.PDF) alleges that Seagate was negligent and implements “unfair” business practices due to poor handling of employee data and how the company then handled the data leak.
It is still not known who the threat actors behind the phishing campaign are, however, the complaint says that the group “almost immediately” exploited the stolen data by filing fraudulent federal and state tax returns on behalf of employees and third-party victims. In some cases, joint claims were filed on behalf of staff and their wives or husbands.
“In order for the cybercriminals to have obtained employees’ spouse’s Social Security numbers, Seagate would have had to have disclosed more than just the Form W-2 data for employees,” the complaint reads. “Seagate would have to have disclosed additional information, such as retirement fund or insurance beneficiary information that contained the PII of third parties.”
“No one can know what else the cybercriminals will do with the employees’ and third-party victims’ PII. However, the employees and third-party victims are now, and for the rest of their lives will be, at a heightened risk of identity theft,” the complaint added.
Seagate informed staff members of the data breach three days after the event, but many did not receive any kind of warning until a week later, by which point many had “already [become] the victims of identity theft.”
In an email to employees on March 4, Seagate’s chief financial officer allegedly took responsibility for the breach, saying that the data leak “was caused by human error and lack of vigilance, and could have been prevented,” according to the complaint.
The class-action suit says that Seagate has offered little in the way of restitution beyond credit monitoring, which some employees already have.
The lawsuit asks for a trial by jury, as well as damages and out-of-pocket expenses caused by identity theft to be paid to both employees and third-party victims.
Seagate, however, disputes the claims and wants the lawsuit dismissed. The company says that the complainants cannot hold Seagate responsible for the damage caused by the scammers and for the lawsuit to hold merit, they “must actually allege facts that show they are entitled to relief from Seagate.”
ZDNet has reached out to Seagate and will update if we hear back.