One of the victim companies of a W-2 phishing attack that this site reported in 2017 was a New York firm called Taconic Biocences. A copy of their notification to the Maryland Attorney General’s Office is still available online, here.
Recently, News10 in New York reported that there has been a $2.7 million settlement in a lawsuit against the firm. It appears that although Taconic Biosciences had offered those affected two years of complimentary membership to Experian’s ProtectMyID product, there was a lawsuit filed anyway.
As part of the settlement, Taconic is required to provide two years of comprehensive identity theft protections, pay up to $3,000 to the victims involved, and pay for legal fees and costs.
However, under the settlement, Taconic is not being held at fault.
Victims have until July 15, 2020 to file for benefits under the settlement.
I haven’t seen too many cases like this following successful W-2 phishing attacks, and I wonder if they settled because H.I.G. Capital acquired Taconic Biosciences in February and wanted to move on from the litigation or if there was some other reason.
McNamee Lochner is the law firm that represented the plaintiffs in the suit. In a press release issued October 2, they stated that hundreds of individuals had their personal information compromised in the breach. There were 665 certified class members in the lawsuit.
It was not clear from their press release, however, whether any of the current or former employees actually became victims of tax refund fraud. DataBreaches.net reached out to the law firm’s press contact on October 3, and although we made contact and there have been multiple requests for a response, this site has received no answers to some questions, questions which included whether any employees or class members had actually experienced tax refund fraud or identity theft (see below for Update to this post).
Update: This site has now received some answers to questions that clarify a few points.
First, with respect to the question of whether any class members had actually experienced tax refund fraud based on their 2017 W-2 compromise, the law firm answered:
While we are aware of many clients who had fraudulent tax refunds. However, not all members of the class were individually represented by ML
The law firm also states that they were aware of “several cases of non-tax related fraud.”
They declined to provide a copy of the phishing email itself.
But it does appear that at least some employees experienced concrete harm that might reasonably be linked to the breach, so maybe that’s why the firm settled. It can’t be good when your own employees are so upset with you for aggravation they are experiencing, and if the settlement is what it took to restore a more productive environment, then it may be a smart move — particularly if there was any insurance that might help offset the costs.