Lincare Inc, a respiratory therapy supplier company, agreed to pay $875,000 as settlement for a class-action lawsuit filed by its employees whose W-2 information was exposed. The data breach incident occurred on February 3, 2017 when an employee of the human resources department responded to a phishing scam. The employee apparently got an email from a high-level executive asking for copies of W-2 information of the company’s employees. Thinking that it was a genuine request, the HR employee responded with the requested information.
When Lincare discovered the accidental disclosure of employee information, the affected persons were notified and offered credit monitoring and identity theft insurance for two years as well as free remediation services. However, three employees namely Patricia Smith, Andrew Giancola and Raymond T. Scott, filed a lawsuit against Lincare on October 16, 2017. The allegations include negligence, breach of fiduciary duty, breach of implied contract and violation of Florida’s Deceptive and Unfair Trade Practices Act.
The lawsuit ended in a settlement where Lincare agreed to pay $875,000 without admission of liability. Class members will be compensated with the total amount of $550,000. The balance of $325,000 is reserved for compensating class members who experience eligible incidents like opening of a fraudulent credit card, filing a fraudulent tax or applying for a fraudulent loan.
W-2 phishing scams have increased in the past year with over 100 U.S. organizations becoming victims especially during the tax season. The W-2 information of over 120,000 employees had been exposed, many of which had been used for filing fraudulent tax returns and stealing identity.
Usually the W-2 phishing scams involve Business Email Compromise (BEC) attacks where a scammer poses as a senior executive asking an employee in the finance or HR department to provide copies of the employees’ W-2 forms via email. Sometimes, an executive’s email address is spoofed; at other times, the executive’s email account is used. The scammer gains access to the account through a phishing attack or by using a brute force attack to guess weak passwords. Because most employees trust their senior executives and are unwilling to question requests, they fall victim to the phishing email.
Databreaches.net has reported 145 W-2 phishing attacks in 2016 and more than 100 attacks in 2017. The actual figure is likely higher since not all companies report such incidents. To avoid falling victim to such attacks, here are some administrative and technical measures:
Install spam filtering solutions to reduce phishing emails received and block spoofed emails. However, this is not enough to block emails from compromised email accounts.
- Give additional security training of HR, finance and payroll employees.
- Make internal policies that do not allow executives to ask for W2 information via email.
- Make policies requiring verification by phone or personal appearance when requesting W-2 information.