By: Kacie Manisco
Sprouts Farmers Market, Inc. is one of the latest companies to fall prey to the recent series of phishing scams targeting employee W-2 data. As a result, the company has found itself defending against a class action lawsuit filed by employees and former employees whose personally identifiable information (“PII”) information was disclosed to the scammers, including Social Security numbers, full names, addresses and wage tax statements.
The common type of Internet scam involved in the Sprouts case is known as “phishing.” This occurs when a hacker tries to trick a victim into divulging confidential information by masquerading as a trustworthy person making a legitimate request. Earlier this year, the IRS warned companies through a public advisory that there has been a 400% increase in phishing attacks reported so far.
According to the complaint against Sprouts that was filed on April 20, 2016 in the U.S. District Court for the Southern District of California, an email that was believed to be from a senior executive of the company allegedly asked a payroll employee for the 2015 W-2 statements from all Sprouts employees. The payroll employee believed the request was legitimate and complied by sending the requested information in response to the email before Sprouts realized that it was a phishing scam. Approximately 21,000 W-2s were disclosed, and the complaint alleges that the scammers have since used employees’ PII to fraudulently apply for tax refunds and open credit cards.
The complaint sets forth causes of action for negligence, violation of California Civil Code sections 1708.80 et seq. (including California’s data breach law), and unfair business practices in violation of California Business and Professions Code section 17200, alleging that Sprouts failed to properly safeguard information, and concealed that fact from its employees. The class members further allege that, while Sprouts offered 12 months of credit monitoring service, the service it chose does not protect against identity theft, and only notifies the consumer after identity theft or other fraudulent activity has occurred.
We will continue to monitor the case, so check back here for updates. In the meantime, the Sprouts case highlights the danger of phishing scams and the extreme importance of educating your workforce about them. Employees need to be informed about how to recognize phishing emails and told to not respond to them or click on any links or attachments they contain. In addition, it is a best practice for businesses to require verbal confirmation from the requesting person, either by telephone or in person, before any funds are transferred or confidential information is sent in response to an email request.