Cybercriminals accessed a W-2 portal maintained by payroll company ADP recently to glean sensitive information about employees at a handful of companies.
The company is stressing that the company itself wasn’t hacked, but that it appears identity thieves may have been able to create ADP accounts in the names of victims using previously leaked personally identifiable information.
The problem ADP claims was a self-service registration portal that allowed attackers to set up fraudulent accounts in the names of employees at those undisclosed companies.
An investigation carried out by the company determined that attackers likely pieced together information on victims using other information published about them online. Any individuals who had their W-2 information compromised, likely had their information compromised previously, ADP claims.
Getting into the portal in the first place requires an access code unique to companies. ADP believes attackers targeted employees who had yet to sign up for the service. They gathered access codes from unsecured public websites of the companies and then either employees’ dates of birth, employee numbers, or social security numbers, information that was either stolen via malware, or also published online, to gain access to the portal.
Once they were in, attackers were able to easily pilfer individuals’ W-2 forms through a feature in ADP’s portal.
It’s unclear exactly when attackers carried out the scheme, or how many employees’ W-2s they were able to download. According to KrebsonSecurity.com, which broke the story on Tuesday, the identity thieves managed to register accounts at “more than a dozen customer firms.”
ADP has more than 150 offices across North America and provides business payroll and HR products to 640,000 companies in 130 countries.
U.S. Bank is purportedly one of the companies involved in the case according to Krebs. A spokesman with the bank, Dana Ripley, said a “small population” of the bank’s 64,000 employees, roughly two percent, received letters that their W-2s may have been downloaded.
In those letters, Jennie Carlson, U.S. Bank’s Executive Vice President of Human Resources, claims the company has been investigating an issue with ADP since April 19, 2016.
“During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name,” the letter reads.
According to Dick Wolfe, Sr. Director Corporate Communications at ADP, the company has always advised against posting registration codes online and in wake of the incident has temporarily disabled access to the registration portal for those clients.
“ADP has no evidence that its systems housing employee information have been compromised,” a statement from the company issued Tuesday read, “Additionally, the company is working with a federal law enforcement task force to identify the fraud perpetrators.”
Attackers used a a similar attack vector to extract data from the Internal Revenue Service’s (IRS) website last May.
Hackers used individuals’ information, like Social Security numbers, names, dates of birth, and other data to infiltrate IRS’ Get Transcript, a service that gives tax payers tax account transaction and line by line tax return information. Initially the IRS said that records belonging to 100,000 taxpayers may have been accessed but three months later the agency announced that more than three times as many – 334,000 taxpayers – may have been affected,