In March 2016, Seagate fell for a whaling scam, which resulted in the leakage of around 10,000 former and current employees’ records. Based on this massive data breach, a class-action lawsuit led by affected employees now accuses the company of malpractice, lack of surveillance, and poor handling of sensitive data, as reported by ZDnet.
It all started with a whaling attack
On March 1, a member of the HR department was targeted by a whaling campaign. The email spoofed Seagate CEO Stephen Luczo and requested the handover of W-2 forms and personally identifiable information (PII) of all employees. Believing it was a legitimate email, the employee delivered this invaluable information right into the fraudsters’ hands.
It took three days to notify affected employees
Staff were informed only three days after the scam, and in some cases they didn’t receive any information for a week, by which time it was too late. The information held by fraudsters included Social Security numbers, tax paid, salary information, and other data that put the legitimate owners at risk of identity fraud.
Human errors are preventable with education
If the HR employee was aware of phishing attacks, could this massive breach have been prevented? Yes, it could have been. Phishing and whaling email campaigns often go through spam filters, especially when they spoof the target company’s email addresses, making the receiver the ultimate decider of the campaign’s success or failure. At this point, technology is useless. Falling into the trap or recognizing that it’s a fraud depends on the target’s awareness of phishing scams.
If you are concerned about your security, take the Phishing Staff Awareness e-learning course. You will learn what phishing is, which scams you might encounter (even on social media), how to recognize them, and how to stay safe.