DataBreaches.net became aware of their incident when contacted by a former employee. According to BMAG’s notification to employees dated March 10, they had no then-current evidence of any misuse of employees’ information. Given that the incident occurred on or about March 6 (according to the person who contacted DataBreaches.net), such assurances might have been a bit premature or optimistic. Approximately 24 hours after the employee received notification of the breach, they also discovered that someone had already filed a tax return in their name using their personal information. Whether BMAG will be sued over the incident remains to be seen.
Certainly in other cases, we are now seeing more and more reports of individuals discovering that tax returns have been filed in their name following W-2 incidents. Today alone, for example, this blogger read reports concerning ADF International and Dairy Management, Inc that both indicated employees had experienced problems with tax returns. And some firms have already been sued over such incidents. As two examples, solar panel manufacturer Sunrun has been sued by an employee who discovered a false return had been filed before Sunrun even notified him of the breach. In other litigation, TransPerfect Global Inc. has been sued by employees after their 2015 W-2 data was compromised by phishing an employee.
So while I continue to track these W-2 phishing scam reports, and Steve Ragan keeps adding up the numbers affected, perhaps we should also have been keeping track of how many of these incidents are actually associated with falsified tax returns.