On 1 March 2016 an unfortunate soul in Seagate Technology’s Human Resources department fell for a phishing email (hook, line and sinker), and voluntarily offered up sensitive information regarding their employees – effectively throwing data security out the window.
It’s Easy to Get Caught
The phishing email, disguised as an internal memo from the CEO, requested wage and tax statements of employees, and the staff member sincerely handed it over to the scammers, not knowing that it wasn’t a legitimate request from management.
After this unfortunate event, the attackers started using the stolen data in fraud schemes involving the personal information on the tax forms, resulting in financial loss for some employees.
Now, some of the most aggrieved employees are filing a law suit against Seagate stating they were negligent with personal information and didn’t deliver on their data security promise.
It Could Happen to Anyone
Ironic that a company who prides itself in data security could not follow through the promise to their workers and their highly confidential data. This just once again proves that anyone can fall victim to cybercrime, and just because you specialise in data security, doesn’t make you immune. The lingering question here is: Is Seagate responsible for this data breach? Should one blame the poor human that (naively) fell for the con?
The last word in that sentence could hint at an answer. Internet charlatans, like the ones behind the spear-phishing email sent to the HR employee, engineer their scams to be as believable as possible. They probably asked very nicely for the forms. And no matter how careful you are, sometimes you fall for it. It’s not something to be embarrassed about, cybercriminals prey on the good, “trusting” nature of human beings.
Education Is Golden
One thing that Seagate as a company can be held responsible for, is the lack of education about cybercrime amongst staff. Unsolicited spam emails and phishing emails have been a major cause of concern for quite some time. There is an abundance of literature and awareness on the Internet about it.
It is very important to be one step ahead of trending internet-deceit, and to keep your employees up to date. One of the most important tasks of an IT and risk manager is to keep an ear to the ground, do research and educate employees so as to make them more vigilant about potential threats. Here are a few tips:
- Avoid opening any suspicious looking emails. Be cautious of clicking links or opening attachments in emails you are not familiar with.
- If you are not sure, ask. If you receive a strange request seemingly from the CEO of the company you are employed at, rather ask than not. Asking and making sure that the request is legitimate could prevent a major catastrophe. What’s that old adage? Rather be safe than sorry. Especially where data security is concerned.
- Unfortunately, some rookie errors can’t be avoided or undone. In that case, it is good to be prepared for any subsequent disaster resulting from a breach in data security.