This is yet another example of a well-crafted phishing attack that has resulting in the compromise of significant PII.  These issues are not combated by technical controls alone.  Organizations must dedicate resources to effective user awareness training and design policies and procedures that allow for proper checks and balances.  IT can not solve all problems.

http://www.scmagazine.com/w-2-data-breach-places-21k-sprouts-farmers-market-employees-at-risk/article/485044/