Cyber Incident Victim: Brunswick Corporation
Date:
Apr 2016
Location:
United States of America
Summary
Brunswick Corporation experienced a spearphishing incident where an employee mistakenly sent current and former workers' W-2 information to an unauthorized individual after receiving a fraudulent email impersonating company management. The compromised data included approximately 13,000 individuals' names, Social Security numbers, 2015 earnings, and tax withholding details, though customer data remained unaffected. Upon discovering the error, the organization promptly notified the IRS and potentially impacted employees while offering complimentary credit monitoring, identity theft assistance, and insurance services. The company clarified that the breach resulted from human error rather than a technical system intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 29, 2016, Brunswick Corporation fell victim to a spearphishing attack that compromised sensitive tax information for approximately 13,000 current and former employees across its subsidiaries, including Mercury Marine. An employee received an email appearing to originate from company management requesting worker W-2 forms, which the recipient interpreted as legitimate and subsequently transmitted the data to an unauthorized external party. The compromised records contained personally identifiable information including full names, Social Security numbers, 2015 earnings figures, tax withholding amounts, and deduction details for all affected full-time and part-time personnel. The breach exclusively impacted employee data, with no customer information or corporate systems compromised during the incident. Brunswick confirmed the attack did not involve technical infiltration of its information infrastructure, characterizing it instead as a socially engineered scam exploiting human error rather than system vulnerabilities.
The employee recognized the error later on April 29 and immediately reported the mishandling of data to company management. Brunswick Corporation promptly initiated response protocols by notifying the Internal Revenue Service about the potential tax fraud risks and directly alerting all affected individuals via email communications. The company offered complimentary credit monitoring services, identity theft assistance resources, and identity theft insurance coverage to every impacted current and former employee as protective measures against potential financial fraud. In public statements, Brunswick emphasized that forensic investigations found no evidence of broader system compromises beyond the single phishing incident, maintaining that customer databases and other operational networks remained secure throughout the event. The organization reiterated that the breach stemmed entirely from deceptive communication tactics targeting human psychology rather than technical security failures.