Payroll processing giant, ADP, recently divulged a breach that exposed tax information of employees of some of its clients, exposing them to tax fraud and identity theft. The 60-year-old Paterson, New Jersey-based company looked into the unauthorized access after a number of customers in its client base came forward with reports of fraudulent transactions made through its ADP self-service portal.
ADP is a third-party service provider that offers payroll, tax and benefits administration to its vast clientele of over 640,000 companies around the world. The company describes itself as a pioneer “in defining the future of business outsourcing solutions.” ADP does this by harnessing its cloud-based Human Capital Management (HCM) solutions together with its unparalleled “business outsourcing services, analytics, and compliance expertise”.
In his report, cybersecurity journalist Brian Krebs noted that at least one institution, U.S. Bancorp (U.S. Bank), has been directly impacted by the breach. U.S. Bank, one of America’s most sizable commercial banks, has duly notified a portion of its workforce affected by the stolen W-2 data, pointing to a “weakness in ADP’s customer portal”. However, Krebs notes that more could be affected.
In a statement, U.S. Bancorp spokeswoman Dana Ripley mentioned that the vulnerability has been patched. She added that 2% of the company’s 64,000 employees have reportedly been affected. In a signed letter by US Bank executive vice president of human resources Jennie Carlson addressed to what was described as a “small population” of the company’s workforce, it was shared that the security incident has been the object of investigation with the institution’s W-2 provider, ADP, since April 29, 2016. As such, “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
The letter to the affected parties went on to say, “the incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
ADP, on the other hand, noted that certain companies posted their unique ADP corporate registration codes to an unsecured website. Cybercriminals took advantage of the available information and used them to create fake ADP accounts. To register to the portal, a cybercriminal with malicious intent needs personal identifiable information like names, dates of birth, and Social Security numbers. Such data, according to the ADP, were not harvested from its systems, but must have already been in the hands of the crooks.
ADP senior director of corporate communications Dick Wolfe stated, “These clients made the unique company registration code available to its employees via an unsecured public website. The combination of an unsecured company registration code and stolen personal information (via phishing, malware, etc.) enabled the fraudulent access to the portal, based on ADP's investigation to date.”
US Bank’s Ripley then admitted that the bank made the company code accessible by publishing the link to an employee resource online. This was done without the knowledge that the said code is privileged data. Ripley said, “We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information.” Currently, the financial institution said that the company code has been taken down and that they've discontinued the practice.
As of this writing, ADP reported that the company has implemented means to monitor the web for any other client who may have shared their signup links and unique company codes. In a post, chief security officer, Roland Cloutier, assured the rest of its massive customer base, “We’ve now aggressively put in some security intelligence by trying to look for that code and turn off self-service registration access if we find that code.”
The report of the breach came barely a week after another company was reported to have its customer data breached from its database by using another third-party provider as an entryway for compromise. Seattle-based pet store, LuckyPet, disclosed news of a breach to the California State Attorney General’s office affecting an undisclosed number of victims whose names, addresses, and credit card data have been stolen through an exploited vulnerability in its third-party shopping cart software. By way of inserting a malicious code into the software, hackers managed to access information provided by customers making purchases.
When Uber went through investigations of a possible breach that led to the sale of hacked user accounts in the cybercriminal underground, officials of the billion-dollar startup assured its users that their credit card credentials were safe, as the data was stored by a third-party service provider. This same kind of assurance didn’t go the way of the two recently-targeted companies. In fact, this is not the first time third-party providers were used as a channel for compromise. In the past, it was pointed out that securing the enterprise requires a more holistic approach in terms of keeping security gaps to a minimum. Experts have identified the importance of keeping the security of IT supply chains and contractors intact as these represent potential weak points in the security of any organization.
The recently reported ADP breach demonstrates the grave repercussions of losing W-2 data to cybercriminals. Data thieves have been known to target W-2 data as these contain irreplaceable personal information that can be sold in the underground or used to stage further attacks, particularly identity theft and financial fraud.
[Read: A closer look at IRS scammers]
Last February, months before the year’s tax filing season drew to a close, the IRS issued a warning stating a 400% uptick in scams that targeted tax information. According to the FBI, from October 2013 through February 2016, schemes that made use of different techniques to steal such information were tricked over 17,600 victims, amounting to $2.3 billion in losses.
ADP shares dropped to about 0.7% following the report of the breach, while its client and confirmed affected party went down 1.3%. In a separate statement, ADP officials said, "ADP has no evidence that its systems housing employee information have been compromised. Additionally, the company is working with a federal law enforcement task force to identify the fraud perpetrators."
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.