Apr 232016
 

After 24 days of updating my scratch list of incidents involving phishing for W-2 information (business email compromise), I decided to take stock and try to organize what we have so far. I was surprised to see that there were already 90 incidents (make that 126 as of May 18th). Most of these entries were found via media reports and reports to state attorneys general. Some were found via KrebsOnSecurity. In a few cases, it’s not totally clear whether an incident was a phishing attack or some other type of breach that compromised employee information.

Updated Mar 3, 2017:  Because some additional reports from 2016 have become available, I have decided to update this post so that we have a better comparison for the 2017 list. This will likely not be the final update for this list, as the state has yet to finish uploading all its 2016 data.

If you have any additions, deletions, or corrections to suggest, please email me at breaches [at] databreaches.net.

  1. A& A Ready Mixed Concrete
  2. Academy of Art Institute
  3. Acronis
  4. Actifio Inc.
  5. Advance Auto Parts
  6. Agenus 
  7. Alpha Payroll Services 
  8. American Type Culture Collection
  9. AmeriPride Services Inc.
  10. Anthelio Healthcare Solutions Inc.
  11. Applied Systems Inc.
  12. ARC International
  13. Areas 
  14. ARIAD Pharmaceuticals
  15. Ash Brokerage Corp (423)
  16. Aspect
  17. ASPIRAnet
  18. Asure Software
  19. Astreya Partners, Inc.
  20. Avendra
  21. Avention
  22. Avinger, Inc.
  23. AxoGen, Inc.
  24. BackOffice Associates
  25. Behavioral Science Technology
  26. Ben Bridge Jeweler, Inc.
  27. Billy Casper Golf
  28. BloomReach 
  29. Boltech Mannings
  30. BrightView
  31. Bristol Farms
  32. Brunswick Corporation ( Brunswick Boat Group, Boston Whaler, Cybex International, Leiserv Inc, Sea Ray Boats, Inc) 
  33. Brunswick School District
  34. Care.com (and its subsidiaries)
  35. CareCentrix
  36. Central Concrete Supply Co. (Right Away Redy Mix, Rock Transport, Inc.)
  37. Century Fence
  38. Champlain Oil
  39. City of Hope
  40. City of Plainfield, NJ
  41. Clay County Medical Center (?)
  42. Client Network Services 
  43. Clinton Health Access Initiative
  44. Concord School District (NH)
  45. ConvaTec Inc.
  46. Convey Health Solutions
  47. Conway Group
  48. Crane Co.
  49. Dare Enterprises (via Blue Belt Technologies)
  50. DataXu Inc.
  51. DealerSocket Inc.
  52. Dennis Group
  53. Digilant
  54. Dixie Group
  55. Dynamic Aviation
  56. eClinicalWorks
  57. EMSI
  58. Endologix Inc.
  59. EPTAM Plastics
  60. Essex, VT
  61. Evening Post Industries
  62. EWTN Global Catholic Network
  63. Fast Company
  64. Foss Manufacturing Company
  65. Gamesa Wind US
  66. General Communication, Inc. (GCI, Denali Media, UUI and Unicom)
  67. Girl Scouts of Connecticut (372) 
  68. Girl Scouts of Gulf Coast Florida
  69. GoldKey|PHR 
  70. Gryphon Technologies 
  71. HAECO 
  72. Highway Toll Administration
  73. Hudson City School District
  74. Hutchison Community College
  75. I.M. Systems Group
  76. IASIS
  77. Information Innovators Inc.
  78. Information Resources
  79. InvenSense
  80. InVentive Health, Inc.
  81. ISCO Industries
  82. J. Polep Distribution Services
  83. Kalamazoo College  (1,600)
  84. Kantar Group (4,266)
  85. Kentucky State University (1,071)
  86. Kids Dental Kare
  87. Krispy Kreme
  88. Lamps Plus and Pacific Coast Lighting
  89. Land Title Guarantee Company
  90. Lanyon Solutions
  91. Lawrence Public Schools
  92. LAZ Parking
  93. Magnolia Health Corporation
  94. Main Line Health
  95. Management Health Systems d/b/a MedPro Heathcare Staffing
  96. Mansueto Ventures (on behalf of Inc.)
  97. Maritz Holdings, Inc.
  98. Masy Bioservices
  99. Matric NAC and Matrix Service Company
  100. MCM Staffing
  101. Medieval Times
  102. Meeting Street School
  103. Mercy Housing
  104. Michels (1,911)
  105. Millenium Engineering and Integration
  106. Mitchell International Inc.
  107. Milwaukee Bucks
  108. MNP on behalf of its affiliate, General Fasteners Company
  109. Momentum for Mental Health
  110. Monarch Beverage Company
  111. Moneytree
  112. Morongo Casino
  113. MYR Group
  114. Nation’s Lending Corporation
  115. NetBrain 
  116. Netcracker Technology
  117. New Leaders
  118. Nexion Healthcare Management, Inc.
  119. NTT Data
  120. O.C. Tanner 
  121. Olympia School District
  122. OpSec Security
  123. PerkinElmer
  124. Pharm-Olam International
  125. PhysMed Management
  126. Pivotal Software, Inc.
  127. Polycom
  128. Primary Residential Mortgage, Inc. (PRMI)
  129. Proskauer Rose
  130. Puppet, Inc.
  131. Pure Integration, LLC
  132. QTI Group
  133. RagingWire Data
  134. Relief International
  135. Rhode Island Blood Center
  136. Rightside
  137. Robert Rauschenberg Foundation
  138. Rockhurst University
  139. RugDoctor
  140. Ryman Hospitality Properties (Grand Ole Opry, WSM-AM, Wildhorse Saloon, four large resort hotels, two smaller hotels, a golf course, and Nashville’s General Jackson Showboat).
  141. Saint Agnes Medical Center (2,800)
  142. Saint Joseph’s Healthcare System
  143. SalientCRGT
  144. Santa Rosa Consulting
  145. School Administrative District 4 (Maine)
  146. Seagate Technology
  147. Sequoia Union High School District
  148. Seven Hills Foundation 
  149. SevOne
  150. Silicon Laboratories
  151. Single Digits
  152.  Snapchat
  153. Solano Community College 
  154. Spectrum, Inc.
  155. Springfield City Utilities
  156. Sprouts (21,000) 
  157. Symphony EYC
  158. Symphony Health Solutions Corp.
  159. The Home for Little Wanderers 
  160. Tidewater Community College (3,193) 
  161. Tom McLeod Software Corps
  162. Total Community Options Inc. DBA InnovAge
  163. Tricerat, Inc.
  164. Turner Construction 
  165. Umstead Hotel & Spa
  166. ValMark Securities
  167. VBrick Systems
  168. Verity Health System
  169. Veterans Management Services
  170. Washington Elementary School District 
  171. Whiting-Turner Contracting Company (1,987)
  172. WorkCare
  173. Wynden Stark, dba GQR Global Markets/City Internships
  174. York Hospital 
  175. YourEncore 

  5 Responses to “Meanwhile, back at the phishing for W-2 department…”

  1. Any chance you can add the states? I see my school district up there but I don’t know if it’s the same state.

    • If you search my site for the name of the school district, you should find my coverage on the incident which should give you the state.

  2. Duh. Thanks! Different state, NC.

  3. Great work! Thank you.

  4. This is an impressive list great work on compiling! Phishing is a serious risk and one that is best mitigated by end user awareness combined with a good email gateway solution. [advertising material deleted by moderator – not allowed on this site, thanks.]

Sorry, the comment form is closed at this time.