A class-action lawsuit stemming from a W-2 phishing scam that saw an employee of the respiratory therapy supplier Lincare Inc., send the W-2 Forms of employees to a scammer has been settled for $875,000.
As is typical with these types of Business Email Compromise (BEC) attacks, the scammer pretended to be a senior executive and sent an email to an employee of the HR department requesting W-2 information for the company’s employees. The employee responded to the email and attached W-2 information for some of the firm’s employees.
The accidental disclosure of sensitive information occurred on February 3, 2017. The incident was detected by Lincare, but not in time to prevent the theft of the data. Lincare took steps to reduce the potential for harm by offering all affected employees two years of complimentary credit monitoring and identity restoration services, although that was not sufficient to prevent a lawsuit from being filed by some of the firm’s employees.
The response by the employee is perfectly understandable. A seemingly genuine request was received via email, and the message appeared to have been sent from a correct email account. Hundreds of employees have fallen for similar scams.
Three Lincare employees believed Lincare was negligent and failed to take sufficient steps to protect their sensitive personal information. In addition to the negligence claim, the employees alleged Lincare had breached its fiduciary duty to employees, that there had been a breach of contract, and Florida’s Deceptive and Unfair Trade Practices Act had been violated.
Lincare filed a motion to dismiss the lawsuit, although prior to responding, the plaintiffs filed their First Amended Class Action Compliant. Before a response was received, the plaintiffs requested a stay in the litigation to allow the parties to attend mediation. That stay was granted by the court and through mediation the settlement was agreed with no admission of liability.
Lincare has agreed to pay $550,000 in compensation to the class members and has made a further $325,000 available to class members who experience an ‘eligible incident’ as a result of the phishing scam, such as identity theft, a fraudulent tax return filed in their name, or fraudulent use of their information to take out a loan or credit card.
The settlement highlights the high cost of a phishing attack and the importance of implementing technical controls, policies, and procedures to reduce the potential for the accidental disclosure of employees’ sensitive information.
The past two years have seen more than 250 successful W-2 phishing attacks reported and the W-2 information of more than 120,000 employees was obtained by scammers in 2017 alone.
By conducting security awareness training, running phishing simulations, and implementing policies requiring requests for W-2 information to be verified by phone, companies can greatly reduce the risk of such a scam being successful.