ADP has confirmed identity thieves managed to access W-2 data of a number of its customers’ employees through the company’s customer portal, but says that the customers themselves are to blame for the data theft.
What’s the problem?
ADP provides payroll, tax and benefits administration services to over 640,000 companies, and these companies’ employees can access their payroll and tax data through a dedicated online portal.
In order to do that, the employees create an account by entering some personal information, which includes their name, date of birth and Social Security number, and additional specific information: a custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.
ADP Chief Security Officer Roland Cloutier told Brian Krebs that customers can choose to create an account at the ADP portal for each employee, or they can defer that process to a later date.
Obviously, some chose the latter option. Also unfortunately, some chose to publish the aforementioned company-specific link and static code online, on a website for employees.
The attackers, armed with this information and the private information of employees – information that can be bought in the cybercriminal underground for a pittance – created accounts on the ADP portal in the name of those employees who have yet to open accounts.
This allowed the attackers to collect the employees’ W-2 data and make fraudulent tax refund requests to the US tax agency (IRS).
ADP says that the companies made the mistake of publishing data that should have been divulged more carefully, and that they are now actively scouring the web for exposed links and codes assigned to other ADP customers.
“Cloutier said ADP does offer an additional layer of authentication — a personal identification code (PIC) — basically another static code that can be assigned to each employee. He added that ADP is trialing a service that will ask anyone requesting a new account to successfully answer a series of questions based on information that only the real account holder is supposed to know,” Krebs reports.
But knowledge-based authentication usually relies on the users answering questions the answers to which can often be found online (e.g. on social media), and attackers can find them and use them.
Nevertheless, ADP believes this is enough to keep those accounts secure.
By the way, The New Jersey-based company is not the only payroll and W-2 service provider that has had clients reporting theft of W-2 data. Dissent Doe over at Databreaches.net has been reporting on similar incidents for the last few months, and in some cases it is still unknown how the attackers managed to get their hands on the data.
What to do if your data has been stolen?
“As ADP works with more than 640,000 companies, this may only be the tip of the iceberg,” says Adam Levin, chairman of IDT911. The fact that W-2 data can be used to file fraudulent tax returns puts a huge bull’s-eye on payroll and human resource companies like ADP that handle such a goldmine of personally identifiable information.
“If you discover you are the victim of tax-related identity theft, the first step is to report the crime to your local police and file a complaint with the Federal Trade Commission. Next, you should file IRS Form 14039 Identity Theft Affidavit,” he advises.
“You can also contact the Identity Protection Specialized Unit of the IRS at 1-800-908-4490 for additional help with your case. In the meantime, closely monitor your credit records for any suspicious activity and consider setting up fraud alerts and enrolling in a credit and identity monitoring program, or freezing your credit. If it appears that any of your credit or financial accounts has been improperly accessed, close the compromised account (or accounts) immediately to prevent identity thieves from looting them or using them as conduits to gain even more sensitive information about you.”