It’s not a letter anyone wants to receive: your employer telling you a data thief has stolen your Social Security number and other highly sensitive information by pretending to be your CEO.
But that’s what hundreds of employees of San Mateo software firm Coupa, co-founded by two former Oracle executives, recently received.
On March 6, according to the letter sent to the workers and obtained by SiliconBeat, the firm’s human resources department was targeted in a successful phishing fraud seeking employee’s IRS W-2 payroll forms.
“A scammer impersonated our Chief Executive Officer and requested that payroll information (Form W-2) for the 2016 tax year be sent via email,” the letter dated March 15 said.
Coupa, a cloud-based firm that makes spending-management software for business use, has 652 employees, according to the company. The firm’s CEO is Rob Bernshteyn. It was co-founded in 2006 by former Oracle executives Noah Eisner and Dave Stephens, with Stephens spending about four years starting it up between stints at Oracle.
The letter to workers went on to list what’s contained on the W-2: name, employee ID, Social Security number, state of residence and work, wages earned, amounts of company-paid benefits, contributions to retirement, and taxes withheld.
The breach of confidential data comes as Coupa, with a market capitalization of $1.2 billion, has been on a tear.
On top of adding machinery giant Caterpillar to its list of 500-plus customers, the firm ended its fiscal year Jan. 31 with $134 million in annual revenue, up 60 percent over the previous year.
No customer information was lost in the data theft, and only workers employed in 2016 were affected, the firm said in a statement.
“Coupa was one of numerous companies recently targeted by this ‘phishing’ scam,” the statement said. “Upon awareness of the scam, we immediately mitigated the isolated incident and implemented measures to protect affected individuals.
“We have not seen any evidence that any data has actually been misused. The privacy and protection of our employee data is a matter we take very seriously.
“We work swiftly to resolve incidents that may occur and partner with leading third-party vendors to take measures and preventions against security incidents.”
The letter to employees said the firm would supplement existing phishing-defense training with more training and information. Also, affected workers can sign up for two years of free identity-theft monitoring and insurance, the letter said.
Coupa notified the FBI immediately after discovering the scam, and also informed the IRS, the letter said.
Bernshteyn, the CEO, is also chairman of the company’s board, which counts among its members former Yahoo CEO Scott Thompson and former Salesforce executive vice-chairman Frank van Veenendaal.
Headquartered in San Mateo, Coupa has four other offices in the U.S., two in Canada, eight in Europe and three in the Asia-Pacific region.
Image: Artist’s rendering of a computer hacker (Pixabay public domain)