Seagate is being sued by its own staff after personal information was exposed due to a phishing scam.
Earlier in the year a senior HR executive was tricked by a phishing scam that pretended to be the CEO of the company, Stephen Luczo. The scammers requested information such as tax codes, social security numbers, and pay information.
Now, a lawsuit has been filed that alleges that attackers have made use of the confidential data. Seagate is contesting the claims and said that it could not be held responsible for the unforeseen actions of criminals.
The company also argues that there was no evidence of negligence by Seagate that has lead to financial loss by some employees.
Court documents reveal that the thieves have used the stolen information to file joint tax forms and carry out various forms of ID theft. The lawsuit aims to make Seagate pay damages to anyone who has suffered financial loss.
In other bad news for the hardware maker, Sophos researchers say that they have uncovered a malware strain that targets Seagate’s network attached storage (NAS) appliances, turning them into distribution points for cryptocurrency –mining software.
Called Mal/Miner-C, this is a type of malware that is designed to spread by exploiting default login credentials, such as weak and frequently used passwords, to install malicious files, Robert Page, lead penetration tester at Redscan said.
Page said: “The creators of this malware are not specifically targeting Seagate NAS devices but given that these devices are known to have poor default credentials, owners of these devices are particularly vulnerable to attack.”
Mark James, security specialist at ESET, said that to mitigate these attacks the user should review and modify any default passwords in addition to ensuring that the latest firmware and software has been installed. User permissions should also be checked to be as restrictive as they need to be.