[BreachExchange] What's the price for flinging your workers' private info at crooks? For Seagate, it's $6m

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 31 21:21:54 EDT 2017 

https://www.theregister.co.uk/2017/07/28/seagate_to_pay_5m_phishing/

Seagate will cough up $5.75m to settle a lawsuit brought after its bungling
staff accidentally handed over employees' sensitive information to
fraudsters.

The storage giant told the California Northern US District Court this week
that it is willing to cover the cost of identity protection services as a
result of that privacy cockup: specifically, it'll pay up to $3,500 for
each of the 12,000 employees whose data was leaked in a 2016 phishing
attack.

The settlement, submitted to Judge Richard Seeborg, also includes Seagate
paying for insurance coverage totaling around $42m for the costs the
workers might incur from identity theft resulting from the attack – which
has already been linked to a string of fake tax return scams.

The deal would put to rest the claims that the company was criminally
negligent and in violation of California competition laws when, in 2016,
one of its workers was duped by a phishing email and handed over the W-2
forms of everyone who had worked for the biz in the previous calendar year.

"Almost immediately, the cybercriminals exploited Seagate's wrongful
actions and filed fraudulent federal and state tax returns in the names of
the employees," the complaint alleges.

"Some employees have learned that the cybercriminals filed fraudulent joint
tax returns, using not only the employee's social security number, but also
the employee's spouse's social security number."

Six named employees – Everett Castillo, Linda Castillo, Nicholas Dattoma,
Freda Lang, Wendy Tran and Steven Wilk – filed suit on behalf of all the
workers whose personal info, including social security numbers, was leaked.

In filing for the settlement, attorneys for the plaintiffs say that the
$5.75m is likely more than they would have been awarded had they taken the
case to trial. The payout would not only cover two years of identity theft
services from credit reporting and financial services conglomerate
Experian, but also any other expenses the workers incurred when they had to
clear their names for the fake tax returns.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170731/2662f79d/attachment.html>

More information about the BreachExchange mailing list