Dive Brief:
- Payroll company ADP was hit by identity thieves that stole tax and salary data, according to a report from KrebsOnSecurity.
- To access the information, thieves registered accounts using employees' names from multiple customer firms, the report said.
- ADP said victim companies inadvertently published their signup link and code, making those companies targets for hackers.
Dive Insight:
ADP provides human resource management, including payroll, tax and benefits administration for more than 640,000 companies. The company said only a small number of customers were impacted by the fraud.
ADP said the personal data did not come from its systems, but that thieves used data already in their possession to create unauthorized accounts at ADP’s portal, according to ADP Chief Security Officer Roland Cloutier. Using a link and company code published by the victim company, fraudsters were then able to create accounts and access W-2 data.
U.S. Bancorp was apparently one of the victims. Last week, U.S. Bancorp warned some of its employees that their W-2 data had been stolen due to a security weakness in ADP's customer portal. The company admitted that they published the link and company code to an employee resource online, but did not realize that data was privileged.
"W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims," said Adam Levin, chairman and founder of IDT911. "This puts a huge bull’s-eye on payroll and human resource companies like ADP that handle such a goldmine of personally identifiable information."
When identity thieves successfully file fraudulent tax returns, they receive the funds intended for the rightful taxpayer.