Public Library of Science (“PLOS”) recently disclosed a data breach after a spear-phishing attack led to the unauthorized disclosure of employee W-2 forms. The incident occurred on February 3, 2026, and exposed highly sensitive personal and tax-related information.
Public Library of Science’s Data Breach Investigation
On February 3, 2026, PLOS discovered that it had been the victim of a spear-phishing attack. According to the notice, a phishing email was mistakenly responded to, resulting in copies of U.S. employees’ 2025 W-2 tax forms being sent to an unknown third party.
The incident was reported immediately upon discovery, and PLOS began investigating the same day. The organization also contacted appropriate law enforcement authorities, including the Internal Revenue Service (IRS) and the Federal Bureau of Investigation (FBI). Following the report to the IRS, the agency initiated a risk assessment that may include monitoring affected taxpayer accounts for signs of identity theft.
The compromised W-2 forms include extremely sensitive personal information, such as:
Although PLOS maintains other employment-related information, including bank account details used for payroll and direct deposit, the organization stated that only the information contained in the 2025 W-2 forms was affected. Bank account information was not compromised in this incident.
Spear-phishing attacks are a targeted form of phishing in which attackers impersonate trusted individuals or entities to trick recipients into disclosing sensitive information. W-2 phishing scams are particularly dangerous because they can lead to fraudulent tax filings and identity theft.
PLOS stated that it is not currently aware of any improper use of the disclosed information. However, similar attacks have historically resulted in fraudulent tax returns being filed in victims’ names, often before the victims themselves attempt to file.
The organization is working with its Digital team to assist with investigation and remediation efforts and has expressed its commitment to deploying additional safeguards to prevent similar incidents in the future.
Even in the absence of confirmed misuse, exposure of Social Security numbers and tax data can create long-term risks. Affected individuals may face tax-related identity theft, delayed refunds, or unauthorized financial activity.
At Class Action U, we believe employees should not bear the burden when organizations fail to properly train staff or implement safeguards against phishing schemes. If your information was exposed, you may have legal options.
When Did This Breach Occur?
The spear-phishing incident occurred on February 3, 2026.
PLOS discovered and reported the incident on the same day and immediately initiated an investigation.
What Information Was Breached?
The personal information involved includes:
This combination of tax and identity data significantly increases the risk of fraudulent tax filings and identity theft.
What You Can Do
If you were notified by PLOS that your W-2 information was disclosed, consider taking the following steps immediately:
-
File your tax return as early as possible to reduce the risk of fraudulent filing.
-
Monitor your IRS account for unusual activity.
-
Consider requesting an Identity Protection PIN (IP PIN) from the IRS.
-
Review your credit reports and monitor financial accounts for suspicious activity.
-
Report suspected tax-related identity theft to the IRS and file a report at IdentityTheft.gov.
Remaining vigilant is critical, especially during tax season. Tax-related identity theft can take significant time and effort to resolve.
You may also want to explore your legal rights if your sensitive tax information was exposed due to this incident.
File a Data Breach Lawsuit Against Public Library of Science
If your W-2 and Social Security number were disclosed in the PLOS data breach, you may be eligible to pursue compensation. Exposure of tax and Social Security information creates serious risks, including fraudulent tax filings and long-term identity theft.
Class action lawsuits allow affected individuals to join together to hold organizations accountable for failing to prevent foreseeable phishing attacks.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
