Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Care.com Becomes the Latest W-2 Phishing Victim

Care.com, a website that helps families find child care, senior care, tutoring, pet care, housekeeping, and other services, experienced a data breach in the beginning of March.

According to a security breach notification [PDF] on the New Hampshire Department of Justice website, a March 3 phishing attack targeted 2015 payroll data containing IRS Form W-2s, which included names, addresses, social security numbers, and 2015 salary and tax information of 39 New Hampshire residents.

The attack is the latest in a string of tax-season heists that involve phishing and whaling—attempts that are aimed at conning employees into giving out tax information with all of the details that cyber-criminals need to mount ID theft efforts—and follow-on phishing attacks.

“Right now, there’s too little data to point to anything specific with the type of attack, such as malware, or social engineering,” Dodi Glenn, vice president of cybersecurity at PC Pitstop, said via email. “However, regardless of the situation, these types of attacks will not be going away anytime soon. Any company that houses that much PII should be taking on a greater responsibility of protecting data.”

Ironically, Care.com CTO Dave Krupinski touted his company’s dedication to security last year on a panel discussion at the MassTLC Security Conference. “The security officer role requires security and business expertise,” he said. “The head of security has deep understanding of technology and security practices and a deep knowledge of the business’ digital and physical assets.” He added, “[The security officer] is aware of our asset landscape, where all these assets are, and [is] also aware of the threat landscape, where threats may be coming in.”

Glenn noted that even the best-prepared may not be as prepared as they think, if employee education isn’t part of the mix. “Employee education about different types of phishing attacks, and taking a proactive approach in planning for a breach (e.g. ensuring security systems like antivirus and perimeter appliances, etc. are updated) are a must,” he said.

Photo © GlebStock

What’s Hot on Infosecurity Magazine?