A Sample Of A Widely Distributed Email That Had Been Received Around The Time Of The Data Leak:
(Target’s Name)
I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
(Signed Your Boss)
On February 28, 2016 an employee in Snapchat’s payroll department received an email that was impersonating its CEO, Evan Spiegel. Approximately 700 W-2 records of current and former employees were released.
The individuals behind the scam are exploiting human gullibility, rather than deficiencies in software or hardware weaknesses. So rather than forcing their way into computer networks, which is difficult and time-consuming, scammers are using social engineering tactics on employees. The information needed to start such a scam is usually easily accessible via websites like LinkedIn, Twitter, Facebook, company websites, personal resume websites, and services.
The Dave Morton, CFO of Seagate a digital device manufacturer, reported to employees in an email on March 4th 2016 that they had been targeted and released the same sensitive information to the scammers. “This mistake was caused by human error and lack of vigilance, and could have been prevented”, reads the email. 2,500 W-2s were leaked in this phishing attack.
The IRS reported an increase of 400% in phishing and malware incidents this year. They report that there have been several victims, but have not disclosed how many other employers had reported leaking the personal information to unauthorized parties.
Identity theft and other IRS/ Tax Scams are common during tax return season (January- April every year in the U.S.) From a stolen W-2, a scammer could pose as an individual to claim their tax return. Another possibility is that the individual whose data was stolen could be subjected to further scams including scammers posing as representatives from the IRS or the state’s division of taxation to force payment of “taxes due” via phone, email, or mail.
Finally, the information could be used in other non-tax related identity theft schemes. Including
Employees affected in both of the above cases are receiving two years of credit protection paid by the company, but this will not help much if the purpose of the scam was to file fraudulent tax returns. Employees must file paperwork with the IRS to report the breach, file a paper return, and even report the issue in person to an IRS office to get the process started- talk about a productivity issue.
The IRS reported that in 2016 tax filing credentials for over 100,000 social security numbers were stolen from a contractor’s systems. This information allows for the filing of electronic, or e-returns. No personal information was released, but over 450,000 queries were initially made- which shows how easy it has become for attackers to gather huge amounts of personal information and quickly flip it. (Individuals affected by this bot attack were notified via mail by the IRS in February 2016)
More From Our Blog:
According to Charlie E. Bernier, Principal Consultant for the Professional Liability and Cyber Division at ECBM, “Cyber insurance would cover this mistake made by an employee- even if it came from phishing/ spear phishing.” It’s important to note that your coverage should include language that covers data that is released by employees either on purpose or by accident- sometimes your coverage may exclude this in favor of brute force attacks or other types of cyber sabotage from a third party.
This happened to a Texas manufacturing firm- and they ended up suing their insurance provider after an email scam defrauded the company out of $480,000. The director of accounting at the company had received a series of email from someone claiming to be the CEO. This scam also included a phone call verifying the email that the wire transfer. When the company realized the scam and tried to recover their funds, it was too late.
The insurance firm denied the claim because the scam, also called a “business email compromise” and CEO fraud did not involve the specific forgery that would activate the policy’s protection as this would have been considered a voluntary transfer of money.
For the loss of Personal Identification Information (PII), the average cost per record would have been around $215, meaning that Snapchat’s claim would exceed $150,500.
The costs of a breach or scam would most likely include credit monitoring for all of the affected employees for 2 years, training for staff to avoid future scams and attacks, improvement of systems/ encryption, internal investigations, changing vendors and software to reduce the risk of a one point of failure, and the unknown costs with a loss of employee productivity.
Charlie also recommends to make sure that your cyber insurance policy would protect you in case of a data leak or transfer- be sure that your policy includes Rogue Employee Coverage. If you have any further questions about cyber insurance and the costs and risks that your business faces, click here.