Dive Brief:
- Payroll company ADP was hit by identity thieves that stole tax and salary data, according to a report from KrebsOnSecurity.
- To access the information, thieves registered accounts using employees' names from multiple customer firms, the report said.
- ADP said victim companies inadvertently published their signup link and code, making those companies targets for hackers.
Dive Insight:
ADP provides human resource management, including payroll, tax and benefits administration for more than 640,000 companies. The company said only a small number of customers were impacted by the fraud.
ADP said the personal data did not come from its systems, but that thieves used data already in their possession to create unauthorized accounts at ADP’s portal, according to ADP Chief Security Officer Roland Cloutier. Using a link and company code published by the victim company, fraudsters were then able to create accounts and access W-2 data.
"W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims," said Adam Levin, chairman and founder of IDT911. "This puts a huge bull’s-eye on payroll and human resource companies like ADP that handle such a goldmine of personally identifiable information."
Indeed, HR was last year considered the #2 threat for cybersecurity at companies. U.S. security professionals estimated 54% of the workforce is in a position where they might cause an accidental security breach, while 5% are seen as having the potential to cause a malicious one.
