A group of proposed class-action suits stemming from a data breach allegedly compromising the identities of more than 21,000 employees of Sprouts Farmers Market have been consolidated in an Arizona Federal Court.
The suits allege that Sprouts fell victim to a "phishing" scam whereby the retailer in March of this year electronically sent the W-2 tax forms of its employees to an unknown third party that had claimed to be a senior executive of the company. At least some of the employees allege they subsequently discovered their tax returns were rejected by the Internal Revenue Service because their social security numbers had already been used by unknown persons to receive rapid tax refunds.
The cases were filed by several former and current Sprouts employees and seek to represent a class of plaintiffs including all 21,000 people who worked for the company during 2015. They said the aggregate amount in controversy exceeds $5 million.
Sprouts had requested the cases be consolidated by the U.S. Judicial Panel on Multidistrict Litigation, which agreed late last week to combine the cases in Arizona, where Sprouts is headquartered. The consolidation will allow for pretrial proceedings before one court. Sprouts had separately stated its intention to file motions to compel arbitration in the cases, which were initially filed in Colorado, California and Arizona.
Sprouts wasn't immediately available for further comment.
According to the complaint, on or about March 14, the payroll department at Sprouts headquarters in Phoenix disclosed all of its employees’ 2015 W-2 earning statements to an unknown person who sent an email claiming to be a Sprouts’ executive. The company became aware of the scam within days, and alerted employees by March 28, stating that it had also altered federal investigators to the scam and providing employees with suggested steps to protect themselves. Sprouts also offered each employee and former employee a complimentary one-year membership of Experian’s Protect MyID Alert program, and set up a helpline to address employee questions.
The W-2 forms included employees' full names, addresses, Social Security numbers, wages and taxes withheld in 2015. They did not disclose birth dates, bank information, credit card information, or email addresses.
One of the parties filing suit, a part-time courtesy clerk and cashier who worked at a Sprouts store in Colorado through December of last year, said her and her minor daughter, also a Sprouts employee, were impacted by the scam, discovering it only after the IRS rejected their tax returns in April.
"Sprouts not only failed to safeguard and prevent the theft of this [employee data] from its computers or network, but voluntarily handed it over to third parties upon their mere electronically delivered email request," the complaint read.
According to reports, dozens of U.S. companies fell for similarly arranged scams this year. The IRS on March 1 issued an alert to payroll and human resources professionals to beware of a surge in phishing email schemes that purport to be from company executives and request personal information on employees.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” IRS Commissioner John Koskinen said in a release. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
