Scott Goss

The News Journal

Tech company SevOne was the victim of a cybersecurity attack on Tuesday.

Workers are at risk for identity fraud, according to the company.

Smaller businesses ranging from concrete supply companies to landscaping businesses also reportedly have been suckered by the scam.

SevOne fell victim to a cybersecurity attack that has put current and former employees at risk for identity fraud.

The tech company has confirmed it released W-2 wage and tax data to an unauthorized recipient outside the company. That information is believed to include Social Security numbers, home addresses, dates of birth and other personal information criminals can use to file false tax returns and commit other forms of identity theft.

The "unauthorized disclosure," which company officials said occurred Monday, was reported to current and former staff late Tuesday night in an email from SevOne’s chief legal officer Diane Pryon. A copy of the email was obtained by The News Journal.

“We are actively working to understand the incident and at this time we have no reason to believe any other SevOne data was affected,” Pryon wrote. “We sincerely apologize to anyone who may have been affected and will send additional communications as further information is learned.”

Company officials declined to comment on the data breach, including details about how it occurred or how many people were affected, Wednesday.

Earlier this month, SevOne laid off less than 10 percent of its global workforce, which numbered about 525 in late 2015.

About 200 employees work out of the company’s Innovation and Technology Center at the University of Delaware’s Science Technology and Advance Research campus in Newark.

The company said it will be providing current and former employees with two years of free credit monitoring services to help them avoid being victimized by the “unauthorized disclosure.”

Criminals behind the phishing scams use personal information gleaned from companies to make fraudulent tax filings to collect the returns. Pryon directed SevOne employees to file their taxes as soon as possible to pre-empt a possible false claim using the leaked data.

SevOne’s data breach is believed to have been a cyberattack known as “spear phishing.” The scheme involves a “spoof” email that appears to come from a company executive requesting sensitive information from an unsuspecting employee.

SevOne, a network infrastructure monitoring company with Fortune 500 clients, might be a high-tech business, but that does not mean its employees are any less susceptible to a phishing scam, said Greg Gurev, head of the Stanton IT security company MySherpa.

"This kind of thing has nothing to do with tech," he said. "These scammers aren't attacking the tech by cracking your password. They're socially engineering their way in by exploiting a flaw in the human condition."

Several companies across the country have fallen victim to spear phishing attacks in recent weeks, including the video messaging app Snapchat, California-based data storage company Seagate and Main Line Health in Pennsylvania.

Smaller businesses ranging from concrete supply companies to landscaping businesses also reportedly have been suckered by the scam.

The Internal Revenue Service issued a consumer alert about phishing and malware scams last month after recording a 400-percent surge in reports this tax season.

The IRS followed that alert with a March 1 warning to payroll and human resources professionals specifically regarding spear phishing schemes.

Nearly 800 criminals have been sentenced in the last year for IRS-related identity theft, but many email phishing scams originate overseas, making prosecution nearly impossible.

“Some form of tax-related theft has always existed, but it’s something that has taken on new forms as our reliance on technology has increased,” said IRS spokesman Clay Sanford. “It’s unlikely these scams are ever something that can be completely eliminated.”

Sanford said similar email-based scams have been reported in which messages are sent purporting to be from the IRS, tax accountants and tax software companies. The messages typically seek information related to refunds, filing status, personal information or claim to require personal identification number verification.

“They often go so far as to use logos, fonts and false identifiers directly from our website,” he said. “Unfortunately, the best tool we have to prevent taxpayers from becoming victims to these types of attacks is raise public awareness.”

The IRS website includes several tips to avoid becoming a victim to scams. Those suggestions include learning how to recognize phishing emails, not opening email attachments from unfamiliar sources and using virus/malware protection software.

Gurev said companies also should routinely conduct a data security audit that maps out their sensitive data, where that information is stored and who can access it.

"You have to raise awareness in an organization and create a policy," he said. "That way anyone who is asking you to transfer money or send information that's critical, your people know that data is not to be sent via email. At the very least, you walk over to your manager and get verification in person first."

Sanford also warned about lower-tech IRS telephone scams that have cost taxpayers an estimated $26.5 million over the last three years.

“We don’t send unsolicited emails to taxpayers,” he said. “And we don’t call taxpayers requesting personal information without some written verification being sent in advance.”

Anyone who receives an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System, can report it by forwarding the message to phishing@irs.gov.

Business owners looking for tips on how to protect themselves from cyberattacks are encouraged to attend one of four events planned throughout the state in the coming weeks.

This month, experts from Connecticut-based Artemis Global Security will provide tips to owners of small- and medium-sized businesses on developing cybersecurity readiness.

The first workshop will be held from 9 a.m. to noon on March 22 at the Delaware Biotechnology Institute, 15 Innovation Way in Newark. The same program will be held from 9 a.m. to noon on March 23 at the Kent County Administration Building, 555 S. Bay Road in Dover.

In April, two more events will be held to assist businesses, along with nonprofits, government agencies, academics and private individuals.

Elayne Starkey, Delaware’s chief security officer, and Capt. Daniel Meadows of the Delaware State Police criminal intelligence section, will provide tips on developing continuity and resiliency plans in advance of a cyberattack.

The first event will be held from 8 a.m. to 1:15 p.m. on April 6 at the Chase Center on the Riverfront, 815 Justison St. in Wilmington. A second summit will be held from 8 a.m. to 1:15 p.m. on April 7 at Kings Creek Country Club, 1 Kings Creek Circle, west of Rehoboth Beach.

Contact business reporter Scott Goss at (302) 324-2281, sgoss@delawareonline.com or on Twitter @ScottGossDel.

Sports Authority files for bankruptcy protection

Allen Harim to close Md. plant, move work to Delaware