Adp Clients Face Potential Tax Fraud After Recent Breach
Content
Payroll processing giant, ADP, recently divulged a breach that exposed tax information of employees of some of its clients, exposing them to tax fraud and identity theft. The 60-year-old Paterson, New Jersey-based company looked into the unauthorized access after a number of customers in its client base came forward with reports of fraudulent transactions made through its ADP self-service portal. The bank’s letter attributes the breach to a vulnerability in an external portal for W-2 information. The letter says that portal accounts created for individual employees, but that employees never used, were vulnerable to the ADP security breach.
In April 2019, nearly $500,000 was diverted from the City of Tallahassee’s payroll after a cyberattack that resulted in employees realizing they were not paid their monthly salaries. The hackers managed to infiltrate the state’s payroll provider and redirect employee payments to a foreign bank account.
- The data became available online and accessible without any security checks or password protections.
- Hackers can then view W-2 information within those accounts and use them to file fraudulent tax returns on behalf of employees.
- Between November 2018 and January 2019, KPMG Mexico, a payroll service provider exposed payroll data for 41 of their clients due to their information being stored in an insecure database.
- Once hackers gain access to the data elements required for registration, they are able to create fraudulent ADP accounts within ADP’s self-service portal for customer employees that had not previously registered for the portal.
“The HPOU was notified that ADP had a security breach in relation to the City’s online W-2s. This breach is extremely low risk but does potentially affect approximately 1,300 classified HPD employees. ADP is sending letters to all employees affected and offering a free year of ID theft protection,” the entry said. If your employer uses ADP to process payroll and you received an ADP paycheck or ADP W2 tax form, you could become the victim of tax fraud. You may be eligible to join a class action lawsuit investigation to help compensate you for past and future losses. Neither U.S. Bank nor ADP has revealed how many employees’ data was compromised.
The Growing Tax Fraud Menace
ADP also says it has experienced similar breaches this year involving a small subset of its other customers. According to ADP, its customers who both create portals for all their employees and publish the associated ADP portal information in publicly available sources contribute to the risk that breaches like this will happen. Hackers were able to sneak into those portal accounts using the employees’ personal information gathered from other sources – information including the employees’ names, dates of birth, and Social Security numbers. Over 640,000 companies contract for ADP payroll services to handle their employees’ paychecks, pay stubs, and benefits administration. Hackers impersonated the employees of ADP customers, enabling them to register accounts in an ADP system that gave them access to the employees’ W-2 information.
Having unique codes sent to an email address would not be an effective form of multifactor authentication because if a scammer has gained access to the applicable username and password for the email account, the scammer would be able to access the unique codes as well. Payroll practitioners should be aware of the common types of scams that target payroll operations so they can help protect employers and employees from data breaches, a data security specialist said June 2. Things like bank account numbers and social security numbers are stock and trade for legions of hackers. This is data with good, reliable resale value, and they can always find a ready market for it.
Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, KrebsOnSecurity has learned. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters. ADP, on the other hand, noted that certain companies posted their unique ADP corporate registration codes to an unsecured website. Cybercriminals took advantage of the available information and used them to create fake ADP accounts. To register to the portal, a cybercriminal with malicious intent needs personal identifiable information like names, dates of birth, and Social Security numbers. Such data, according to the ADP, were not harvested from its systems, but must have already been in the hands of the crooks.
The IRS found this out the hard way, and over the past year has removed two separate authentication systems that placed too much reliance on KBA and static data to authenticate taxpayers. In May 2015, the IRS took down its “Get Transcript” service after tax refund fraudsters began using it to pull W-2 data on more than 724,000 taxpayers. In those cases, the fraudsters also already had the victim’s SSN, DoB and other personal data. In March 2016, the IRS suspended its “Get IP PIN” feature for the same reason. ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators. ADP said the breach did not involve payroll data, and the information that was at risk was part of a product ADP’s benefits administration business no longer sells.
Adp Can’t Shake Calif Employer’s Suit Over Pay Software
Much has been said in the recent past about the growing sophistication of hacking attacks, and this latest, sadly successful attack on ADP is a perfect example of that sophistication. ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal. US Bank’s Ripley then admitted that the bank made the company code accessible by publishing the link to an employee resource online. This was done without the knowledge that the said code is privileged data. In January 2020, the Meadville Medical Center in Pennsylvania had a security breach with their payroll system which resulted in unauthorized exposure of employee personal data and their dependents’ personal information.
ADP is a third-party service provider that offers payroll, tax and benefits administration to its vast clientele of over 640,000 companies around the world. Back in November 2019, a car was broken into and payroll data from 29,000 current and former Facebook employees was stolen from a hard drive. Personal data including name, bank account details, and the last 4 digits of the employees’ social security number were taken. Between June and October 2018, Centerstone Insurance and Financial Services, operating under the name BenefitMall, a payroll and benefits provider, fell victim to a phishing attack which exposed over 111,000 individuals’ private data to hackers.
Request To Republish Content
Using personal information gathered from other sources, hackers were able to round up data from about 724,000 compromised taxpayer accounts. ADP provides payroll, tax and benefits administration for over 640,000 companies. In connection with providing payroll, tax and benefits administration, ADP stores tax and salary information, such as W-2s, for each of its customer’s employees. For some ADP customers, employees can view this information themselves by registering with ADP’s self-service portal. ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked.
The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals. Patterson, N.J.-based ADP provides payroll, tax and benefits administration for more than 640,000 companies. Last week,U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.
An attacker could also access a range of personal data including name, birth date, physical address, pay stubs, or Social Security number — all the information they’d need to commit identity theft. They could also locate an employee’s tax documents, which could be used to file fraudulent tax returns on the worker’s behalf and redirect the funds to attackers’ accounts. This same kind of assurance didn’t go the way of the two recently-targeted companies. In fact, this is not the first time third-party providers were used as a channel for compromise. In the past, it was pointed out that securing the enterprise requires a more holistic approach in terms of keeping security gaps to a minimum. Experts have identified the importance of keeping the security of IT supply chains and contractors intact as these represent potential weak points in the security of any organization.
Bank, which contracts with ADP payroll services, sent a letter to its employees who may have been affected. The letter says the bank has been actively investigating the ADP security breach since April 19, 2016. In addition, if the ADP portal is enabled to store the wire transfer/bank account information of a company’s employees, a criminal with access to an employee’s account can change the wire instructions and have the employee’s pay sent to a fraudulent bank account. According to news reports, cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees. ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal.
Unfortunately, due to the multitude of breaches that have occurred over time, such personal information is widely available for purchase by malicious actors on the dark web and the black market. Additionally, many companies post unique ADP identification codes publicly for the convenience of their employees.
The report of the breach came barely a week after another company was reported to have its customer data breached from its database by using another third-party provider as an entryway for compromise. By way of inserting a malicious code into the software, hackers managed to access information provided by customers making purchases.
To fix problem of over payments by the federal government’s payroll system – Phoenix Pay – the Public Services and Procurement Canada sent departmental heads of human resources and chief financial officers reports every two weeks listing employee over payments. A report naming 69,087 public servants including their personal and banking details was accidentally emailed to the wrong federal departments. In February 2020 more than 69,000 Canadian federal employees became victims of a privacy breach after their personal information was emailed to the wrong people.
Payroll services company Automatic Data Processing Inc. on Wednesday disclosed a data breach that it said apparently affects only one of its employer clients, The Associated Press reports. According to a corporate statement, ADP is investigating a data breach that infiltrated the company’s system after a hacker compromised one of ADP’s clients at Workscape, a benefits administration provider that ADP recently acquired. “The intrusion, which occurred on a non-payroll legacy platform that is no longer sold by ADP’s benefits administration business, was detected by the ADP security team during routine system monitoring,” ADP says.
Information that was hacked included names, social security numbers, bank account details, date of birth, and addresses. ADP confirmed this activity, saying that it hit “a very small subset” of its customers. The company stressed that hackers need more than just tax data to actually open an account in another person’s name and said the data was not extracted from its systems. This leak caught national attention yesterday when Krebs’ report came out because of ADP’s widespread reach into the payroll and administrative sectors as the company handles those aspects for more than 640,000 companies. Bank, which recently discovered that some of its employees had tax data compromised. Hackers had used similar tactics previously to break into the IRS’s Get Transcript application.
Once hackers gain access to the data elements required for registration, they are able to create fraudulent ADP accounts within ADP’s self-service portal for customer employees that had not previously registered for the portal. Hackers can then view W-2 information within those accounts and use them to file fraudulent tax returns on behalf of employees. Between November 2018 and January 2019, KPMG Mexico, a payroll service provider exposed payroll data for 41 of their clients due to their information being stored in an insecure database. The data became available online and accessible without any security checks or password protections. Leaked data included federal taxpayer registry codes, social security numbers, bank account details, and salary information. If an organization had previously posted its unique ADP registration code publicly, the company should consider investigating whether any unusual or fraudulent activity took place with respect to ADP’s self-service portal.
The company says it provides ADP payroll services customers with a customer-specific link and a static code that are both required for their employees to register for the portal. Tax information for customers of ADP payroll services is now in the hands of hackers who could use the information to make fraudulent claims for tax refunds. ADP relies on static data – name, Social Security Number, date of birth, and a unique company identification code – to authenticate new portal registrants.
Rather, the workflow itself was breached, and the hackers took advantage of the fact that some companies weren’t as careful as they should have been with their activation codes. Using a process called “Flowjacking”, hackers were able to determine the work and data flow of ADP’s internal processes. They found out, for example, that setting up a user account with the company was a two-step process. The first step involves setting up the account, which requires social security numbers and other personal data that hackers are very good at getting their hands on. ADP is the world’s largest HR firm, handling tax and payroll accounts for more than 640,000 companies that collectively employ millions of people. It may be possible that your company is one of the hundreds of thousands that rely on ADP for this function.
The second step is activating the account, and ADP sends activation codes to the companies that set up accounts with them. Unfortunately, some companies are not careful with their activation codes, and wind up placing them in the public domain, where they can be scooped up by ever-watchful hackers. I’ve been direct depositing to the same account for at least 10 years, and filing late in the year, you would think the IRS would take note of that before blindly sending a direct deposit to some thief’s account. And, whatever happened to all of the “know your customer” rules that banks are supposed to have before opening up such an account to receive the money? It seems that the accounts opened for tax anticipation loans must not need to know the customer. I can only hope some tax anticipation loan company is out the value of my fake return, and will improve their screening in the future.
