Storage drive biz Seagate is lousy at keeping its own data safe: it accidentally handed over the crown jewels of its employees' private information to persons unknown.
A Seagate employee was fooled by an email that masqueraded as an internal memo from the CEO: the message requested people's W-2 forms, and the worker duly handed over the paperwork to fraudsters thinking the request was legit.
The forms include colleagues' social security numbers, income figures, work and home addresses, and other data useful to identity thieves. Anyone who worked at Seagate at any point in 2015 will have had their details leaked.
"On March 1, 2016, Seagate Technology learned that the 2015 W-2 tax form information for current and former US-based employees was sent to an unauthorized third party in response to a phishing email scam," the biz said in a statement to The Reg.
"At this point we have no information to suggest that employee data has been misused, but caution and vigilance are in order. We deeply regret this mistake and we offer our sincerest apologies to everyone affected."
Seagate has informed the IRS, America's taxmen, about the scam, and the FBI has launched an investigation. In the meantime, the tax authorities will be scrutinizing returns from Seagate employees more carefully this year, and the firm has given staff two years of credit fraud protection.
This is the busiest time of the year for Americans and their tax affairs, both legitimate and illegitimate, and last week something similar happened to Snapchat. The fear is that with this information scammers can file false tax records impersonating employees and funnel refunds into the crooks' bank accounts.
Seagate can, at least, take comfort in the fact that it's better at this stuff than the actual IRS. Earlier this month, the tax agency was forced to admit it let slip up to 700,000 tax forms thanks to flaws in its electronic filing system.
Seagate's woes do, however, show the importance of checking the details on emails to avoid getting phished. Too many people are still getting caught out by official-looking emails and not double checking when sending out sensitive info.
Public-key encryption cofounder Whitfield Diffie put it best last week at the RSA conference when he was asked what his first reaction was when he was emailed to say he'd won the Turing Prize – the tech industry's Nobel Prize.
"I spent a long time checking the email headers very, very carefully," he joked. ®