Sprouts Farmers Market confirmed on Thursday that a phishing email scam resulted in the retailer inadvertently handing over its employee’s payroll data to cyber criminals.
The Phoenix, Arizona-based supermarket chain has approximately 21,000 employees across its 200 U.S. stores.
Sprouts spokeswoman Donna Egan said an employee in the payroll department received an email appearing to come from a company senior executive. The email asked for the W-2 statements of all Sprouts workers.
“Sprouts is working with the FBI and the IRS to investigate this crime and to determine the best ways to protect team member tax information,” Egan told SC Magazine.
The company said any employee who received a W-2 form from Sprouts in 2015 may be impacted but gave no indication of how many of its 21,000 workers were affected by the breach.
Information on the W-2 forms includes employee Social Security numbers, salaries, mailing addresses and other personal data.
Cyber criminals often leverage the stolen information to file fraudulent tax refunds with the Internal Revenue Service (IRS) and the states.
“We sincerely apologize for this situation and are working to enhance our controls and make additional investments in protocols, technology and training,” said Egan.
Sprouts joins the list of several other large companies that have recently fallen victims to similar phishing attacks, including Seagate, Magnolia Health Corporation and mobile app Snapchat.
Craig Young, senior security researcher at Tripwire, said there are practical steps companies can take to help correct such human errors.
“In general, whenever a request is received to send sensitive personal information outside of regular business processes, it is always a good idea to validate the request through a separate channel, such as via telephone,” Young told SC Magazine.
Meanwhile, Jonathan Sander, vice president at access management firm Lieberman Software, adds restricting employee access is critical to remediating these incidents.
“If a payroll employee wants one W-2, then maybe you just let them have it. If that same employee wants all of them all at once, then there should be something that triggers – to say this is a different sort of request that deserves more scrutiny,” he said.