Sprouts Farmers Market Class Actions Target W-2 Phishing Scam

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Sprouts Farmers Market, the popular natural foods store chain based out of Phoenix, Ariz., is the latest company to fall prey to the recent series of phishing scams targeting W-2 data of employees.

Sprouts said that an employee in the payroll department received an email that was believed to be from a senior executive of the company. The email allegedly asked the payroll employee for the 2015 W-2 statements from all of the company’s employees. The payroll employee compiled the requested information and reportedly sent it off in an email to the requestor before the company realized that the email was actually a phishing scam.

Once Sprouts identified the email requesting the W-2’s as a phishing scam, the company promptly contacted federal authorities, and the FBI and IRS are now currently investigating the situation.

Known as “CEO Fraud,” these scams use social engineering platforms by criminals to manipulate victims and trick them into divulging secure information or even transferring company money into a bank account the attacker controls. Rather than attacking vulnerable computer systems, they take advantage of the vulnerabilities of human nature. These schemes are more subtle than many other scams and require the attacker to know a lot about the person they are impersonating and the institution they are targeting.

Since much of this information about senior level employees and the institutions is readily available on company webpages and companies use social media to update consumers about the goings-on in the organization, stealthy cyberattackers can gain this information relatively easy and move-in on unsuspecting employees in payroll and accounting departments.

Sprouts has about 200 retail stores and 21,000 employees at the time of the breach.

Sprouts spokesperson Donna Egan told reporters, “Sprouts is working with the FBI and the IRS to investigate this crime and to determine the best ways to protect team member tax information. Anyone who received a W-2 form from Sprouts may be impacted.”

The company is working with law enforcement to investigate the phishing scam and is also working to notify employees of the breach and inform them of steps they can take to help mitigate any potential problems caused by the data ending up in the wrong hands.

As a result of the data breach, Sprouts has offered all employees a year of free credit monitoring. Some employees think that this gesture is not sufficient. Presently, two class action lawsuits have been filed against Sprouts in response to the data breach.

One lawsuit was filed in California Superior Court in San Diego against Sprouts Farmers Market Inc. on April 8 as a civil case under tort law. More information will be available on this lawsuit once the details of the filing are released.

The second lawsuit was filed by a Sprouts employee, Debra Price, in federal court in Colorado on April 14. Price claims she had her information accessed, stolen and used, causing her to suffer actual harm and monetary damages. In this case, a fraudulent tax return was filed on the employee’s behalf before she was able to file the tax return herself.

Price has accused Sprouts of negligence, breach of fiduciary duty, breach of contract, breach of implied contract and invasion of privacy. She seeks to represent a Class of Sprouts employees who have been affected by the data breach and seeks a variety of damages, an injunction against Sprouts including 25 years of credit monitoring, bank monitoring and identity insurance for herself and Class members, as well as attorneys’ fees and costs of litigation.

Sprouts is not the only company to have faced a security breach resulting from a phishing scam. Seagate Technology, Magnolia Health Corporation, Snapchat and General Communications Inc. have also been victims of the phishing campaigns aimed at stealing information from W-2 forms.

In fact, the IRS warned companies through a public advisory earlier this year that there has been a 400 percent increase in phishing attacks reported so far. The agency and security experts are urging companies to educate their employees on the risks of these cyberattacks to help thwart avoidable compromises of security.

The Sprouts Employee Data Breach Class Action Lawsuits  are Castellano v. Sprouts Farmers Market Inc., Case No. 37-2016-00011845-CU-NP-CTL, in the Superior Court of California, County of San Diego and Price v. Sprouts Farmers Market, Case No. 1:16-cv-00855, in the U.S. District Court for the District of Colorado.

UPDATE: On July 6, 2016, Sprouts and a plaintiff in a data breach class action lawsuit pending in California federal court asked a judge to put their case on hold while the U.S. Judicial Panel on Multidistrict Litigation considers a request to consolidate it with three similar class action lawsuits.