BUSINESS

LAZ Parking workers' personal data compromised in phishing attack

The tax and revenue information of everyone who worked for the nation's third-largest parking company last year may have been stolen by an "unknown individual," the company said.

LAZ Parking Ltd. said this week that W-2 tax form information for some 14,000 full- and part-time workers had been compromised.

LAZ operates in 26 states, controls 875,000 parking spaces and has annual revenue of $930 million. It has 160 parking lots and garages in Los Angeles County, and 1,100 employees worked in the county last year, company spokeswoman Mary Coursey said.

Coursey said the company has hired cybersecurity specialists and is doing everything it can to make sure such a breach does not happen again.

San Diego State University professor Murray Jennex, an expert on identity theft, said the stolen information can be used to file false tax returns for individuals, and this is the time to do it.

"It's a low-risk crime," he said. "It's right in the tax season, the time of the year when the IRS is flooded. It is not likely to catch it as quickly as they should. [Criminals] will probably get the money out of it."

LAZ, based in Hartford, Conn., said in a letter to employees that someone pretending to be an executive with the company tricked a LAZ worker into giving up 2015 W-2 forms in mid-February by email.

The company offered to give employees identity-theft protection for two years at no cost and to pay to freeze credit reports if employees chose to do so.

The Internal Revenue Service is not allowed to comment on individual cases, but its website gives instructions to companies that have a data security breach. The IRS says businesses must notify law enforcement agencies, along with any affected businesses and employees.

"Our systems remain secure, and we alerted authorities as soon as we were made aware of the situation," said Coursey, the LAZ spokeswoman. "We sincerely regret any inconvenience this may cause our employees."

Last year, Intuit Inc.'s TurboTax division stopped submitting electronic tax returns for about 24 hours because at least two states — Minnesota and Utah — had seen a rise in suspicious e-returns and attempts to use stolen identity information.

In addition to being used to steal tax returns, W-2 information could be used for proof of employment or to get a loan, said Jennex, the SDSU professor.

He said the scam that hit LAZ reflects poor training at the corporate level because sending sensitive information over email is one of the key things companies are supposed to avoid.

Jennex said the IRS will likely sort everything out but it will greatly slow down any returns of a person that had multiple returns filed.

Times staff writer Samantha Masunaga contributed to this report.

phillip.molnar@sduniontribune.com

Copyright © 2016, Los Angeles Times
A version of this article appeared in print on March 17, 2016, in the Business section of the Los Angeles Times with the headline "LAZ Parking employees' personal data compromised - A phishing attack nets W-2 tax forms for about 14,000 full- and part-time workers." — Today's paperToday's paper | Subscribe
73°