Cyber Incident Victim: Sunrun
Date:
Jan 2017
Location:
United States of America
Summary
A hacker impersonated Sunrun's CEO in a spear-phishing attack targeting the payroll department, successfully obtaining W-2 tax forms containing sensitive employee data including Social Security numbers, salaries, and addresses. The breach impacted a substantial portion of current and former staff but did not compromise customer information. The company detected the incident within an hour, engaged authorities, and implemented identity theft protection services for affected individuals while revising internal security training protocols. An employee criticized the lack of verification processes for handling sensitive data requests, highlighting procedural failures that enabled the scam. This incident mirrored similar payroll-focused attacks targeting other organizations during tax season.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 20, 2017, a hacker impersonating Sunrun CEO Lynn Jurich sent a spear-phishing email to the San Francisco-based solar company’s payroll department, requesting employee W-2 tax forms. The fraudulent request coincided with the start of tax-filing season, a period when such forms are routinely distributed. The payroll department did not recognize the email as a scam and disclosed 2016 W-2 forms containing sensitive employee information, including Social Security numbers, addresses, salaries, and tax withholding details. Sunrun detected the breach within one hour of the phishing attempt and immediately engaged law enforcement authorities. The company confirmed on January 27 that a "substantial portion" of its approximately 4,000 current and former U.S. employees were affected, though no customer data was compromised.
Sunrun CEO Lynn Jurich notified employees via memo about the breach, attributing it to a failure to identify the phishing attempt. The company offered affected employees two years of complimentary identity theft protection through Experian and announced plans to revise its internal data security training programs. Employees were advised to file tax returns promptly to mitigate the risk of fraudulent refund claims, as the stolen W-2 data could enable scammers to file fake returns. Former employee Glenn Massamillo, who worked in business development for Sunrun’s New Jersey operations, criticized the lack of verification protocols for sensitive data requests, calling the incident a result of "extreme incompetence." The breach mirrored similar W-2 phishing attacks targeting companies like Seagate Technology and payroll processor ADP during the same tax season period.