Seagate Phish Exposes All Employee W-2’s

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
I guess this just goes to show you that employees are still the weakest link in a company's security chain. Seagate says that less than 10,000 employees were affected.


Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.
 
It would seem that of the two general hacking principles, software/hardware exploitation and social engineering, the social engineering approach is getting a lot of focus.


You know, for awhile there was a push to stop relying on "fences" to keep people out and instead just make sure all the property was encrypted well enough that it would be unusable if stolen.

Of course, this approach completely ignores the idea of someone compromising your systems to a degree that they are able to make actions happen in your name.

"Sell all my stock in IBM to ......... Jerry Stealslikenoother" :notworthy:
 
I'm surprised the employee was even able retrieve that data from their drives.
 
Curious how well designed the email message itself was to pass through the phishing filters. Either way though, every company should have internal safeguards in place so that any time employee information is requested by a 3rd party, there is a chain of approval and both IT and Finance managemers are directly involved in reviewing the request.
 
potency said:
Curious how well designed the email message itself was to pass through the phishing filters. Either way though, every company should have internal safeguards in place so that any time employee information is requested by a 3rd party, there is a chain of approval and both IT and Finance managemers are directly involved in reviewing the request.
Click to expand...

I'd like to hear more about your proposed implementation.
 
LightningCrash said:
I'd like to hear more about your proposed implementation.
Click to expand...

Preventing one employee from accessing all of the W2s in one shot would be a good place to start. Training employees with access to W2s to not be rerarded would help. Setting access restrictions to send an alert when more than X records are accessed could inform IT. And you could make exporting a lot of W2s require two employees to both enter credentials (presumably the chances of finding two mentally challenged employees with W2 access is low). The second person could be an IT security employee, all of these large companies should have multiple on staff.
 
Last edited:
LightningCrash said:
I'd like to hear more about your proposed implementation.
Click to expand...


Pretty simple, just have a policy in place that reviews who is requesting what info, and why, and have managers directly involved in the process. Though we don't have access to the actual message in this case, any IT person with half a toolbox of real-world skills should be able to spot a phishing scam, and could have stopped this debacle right there. Also, with respect to this instance, it's not like someone was requesting basic info. All W-2's on all employees ever? How did a request like that not set off a bunch of alarms in the first place? There's no reason why any one single employee should have the authorization to provide info of this sort anyways, whether it is for a single employee or everyone since the dawn of time.
 
Speaking of social security numbers, if you haven't set up your account at socialsecurity.gov yet, you really, really need to before someone else does it for you, because you are in for all kinds of identity hell if they get that before you. And yes, you need to set up your kids' accounts too, no matter how young they are; the loan fraud criminals really like child accounts because it may be many years before you notice what they did.
 
potency said:
Curious how well designed the email message itself was to pass through the phishing filters. Either way though, every company should have internal safeguards in place so that any time employee information is requested by a 3rd party, there is a chain of approval and both IT and Finance managemers are directly involved in reviewing the request.
Click to expand...
These phishers are very good at what they do. Most times it will look like the CEO or head of HR is the one requesting the info.
 
DocSavage said:
These phishers are very good at what they do. Most times it will look like the CEO or head of HR is the one requesting the info.
Click to expand...
Which is why you train the employees to verify any unusual requests like this, and to not simply reply to the email, but to compose a new email to avoid the fake email address.

We've had a couple emails get through our system that looked like management requesting information (when it wasn't), but luckily I've trained most the employees to be paranoid :)

FYI: It's generally easy for hackers to figure out management email addresses based on web site information and other users email addresses.
 
You must log in or register to reply here.
Back
Top