Sunrun’s Tax-Season Data Breach Has Employees Fuming


SAN FRANCISCO (CN) – Sunrun employees whose W-2 tax forms were sent to hackers posing as its CEO brought a class action over the rooftop solar company’s failure to protect employee information and inform them of the data breach.

Lead plaintiff Russell Ashlock says he found out about the Jan. 20 from the internet long before he received a letter from Sunrun on Feb. 6, 2017, saying his W-2 had been exposed. Someone also filed a false tax return on Jan. 29 using Ashlock’s information, according to the complaint filed on Feb. 9 in San Francisco County Superior Court.

A hacker impersonating CEO Lynn Jurich had sent an email to the company’s payroll department requesting employee W-2s, which contain personal information like addresses, Social Security numbers and salary amounts. Such an email is generally referred to as “phishing,” and Sunrun readily responded to the request before realizing it was a scam, the class claims.

“Plaintiff and class members are now and will be at risk of identify theft for the rest of their lives, requiring constant diligence and monitoring,” Ashlock’s complaint states.

The class says Sunrun also failed to adequately compensate employees for the data exposure, offering employees just two years of identify theft protection through Experian’s ProtectMyID service.

“Even if an employee accepts the ProtectMyID service, it will not provide employees any compensation for the costs and burdens associated with the fraudulent tax returns that were filed prior to an employee signing up for ProtectMyID,” the complaint says. “Sunrun has not offered employees any assistance in dealing with the IRS or state tax agencies. Nor has Sunrun offered to reimburse employees for the costs-current and future- incurred as a result of falsely filed tax returns.”

It also notes that the Experian service doesn’t protect against identify theft, but only provides some assistance after an identify is stolen.

The class seeks punitive and statutory damages for Sunrun’s failure to maintain proper security measures, policies and procedures, and training,” and for failing to timely notify their employees of their error.

They are represented by Eric Grover with Keller and Grover LLP in San Francisco.

Sunrun did not immediately respond to an email request for comment.

%d bloggers like this: