[BreachExchange] Data Breach Class-Action Lawsuit Sprouts in California

[Audrey McNeil]

https://www.lawyersandsettlements.com/articles/data-breach/sprouts-farmers-market-inc-internal-revenue-21609.html?utm_expid=3607522-13.Y4u1ixZNSt6o8v_5N8VGVA.0

A data breach lawsuit has sprouted up in California, alleging that a
phishing scam has resulted in the hacking of wage and tax forms belonging
to some 21,000 employees in 13 states.

The defendant is Sprouts Farmers Market Inc., an enterprise based in
Phoenix, Arizona, with 224 stores across the country. The allegation is
that W-2 Wage and Tax forms belonging to any employee having worked for
Sprouts in 2015 may have been compromised.

The allegation is that the phishing scam actually resulted in Sprouts
voluntarily releasing the sensitive documents into the wrong hands. With
the W-2 Wage and Tax information, hackers will allegedly now have in their
possession personal information including full names, addresses, and Social
Security numbers, amongst other sensitive intel on the employees involved.

The lead plaintiff in the data breach lawsuit is accusing Sprouts of
negligence for failing in its duty to its employees, to “maintain, protect,
and safeguard their releasing private tax information to a third party who
is believed to be using the data for illegal purposes.”

According to the data breach lawsuit, the payroll department responded to a
request for W-2 IRS (Internal Revenue Service) information attached to all
current and former employees for the 2015 taxation year, in early March of
this year. The request had purportedly come from a senior executive of
Sprouts. However, it was quickly determined that the executive in question
had not made the request, but rather a hacker who had posed as the senior
executive in the phishing scam.

It is alleged that someone in payroll fell for the ruse, and released the
information as requested. The lead plaintiff in the data breach class
action, Julio Hernandez, holds that Sprouts should have known that such a
scam was possible, and should have had proper checks and balances in place
to ensure such a request was not honored without proper vetting.

Hernandez, a resident of San Diego and a former employee of the defendant,
also accuses Sprouts of doing little to remedy the situation after
initially informing affected employees of the data breach. An offer of 12
months’ worth of credit monitoring and insurance by the employer does
little to aid potential class members, Hernandez says, in that monitoring
can only succeed to inform class members of suspicious activity, but can do
nothing to prevent it.

“Going forward, Plaintiff anticipates spending considerable time in an
effort to contain the impact of Defendant’s Data Breach on himself,” the
data breach lawsuit states. “Plaintiff suffers from an increased risk of
future identity theft as a result of Defendant’s actions.”

The Sprouts W-2 Data Breach Class-Action Lawsuit is Julio Hernandez v.
Sprouts Farmers Market Inc., Case No. 16-cv-0958 in the US District Court
for the Southern District of California.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/eebbdc46/attachment.html>