Has information about your salary been stolen from you without you knowing it? KrebsOnSecurity has discovered that hackers have stolen tax and salary info from the payroll processor ADP, which processes the payrolls of more than 640,000 companies. U.S. Bank sent out a notice to some of its employees last week warning them that their W-2 data had been compromised by a breach of ADP's customer portal.
A U.S. Bank employee forwarded the letter from the VP of human resources to KrebsOnSecurity informing employees that the company has been investigating the breach since April 19, just after Tax Day. U.S. Bank employs more than 64,000 people, although according to a company statement only 1400 were affected, or about 2% of its total workforce.
So far, U.S. Bank is the only company to come forward to acknowledge the impact of the breach, but considering that ADP processes W-2 data for tens of millions of American workers, the scale of the breach could be huge. According to Brian Krebs, who runs KrebsOnSecurity, up to a dozen companies could be affected.
ADP says the breach is not its fault. In a statement to CNBC, the company said that some of its clients had published their unique registration codes to publicly-accessible pages, which allowed hackers to log in to the ADP portal posing as employees of its corporate clients.
ADP says it has suspended access to its portal to companies that still have their unique registration codes posted online. In response, U.S. Bank spokesperson Dana Ripley said they had posted their ADP registration code online so that employees could easily access their W-2 information, but have since ended the practice.
In order to get into ADP's portal, fraudsters had to already have an employee's name, date of birth and Social Security number, information which only costs about $4 in the criminal underworld, as well as a company-specific link and registration code provided by ADP. ADP told CNN that it is working with a federal task force to investigate the breach and that it is scanning the Internet for any other codes that its clients may have published.
Security expert Adam Levin told SCMagazine.com that both sides were to blame for the breach: the client companies for posting their unique registration codes online, and ADP for managing a weak customer portal that was easy to fool.
Although an unknown number of employees' tax and salary data were compromised, depending on when the leak occurred the fallout might not be all that bad. Even if hackers got employee tax and salary data before Tax Day on April 18, many employees had probably already filed their tax returns and received their refunds.
If the breach occurred after Tax Day, the only employees who could be affected this year are late-filers. But tax refund fraud could be a little easier for criminals next year, thanks to the data stolen from ADP. All it takes to file a fraudulent tax return is a person's name and Social Security number, but accurate salary data makes it less likely that the IRS will flag the return as suspicious.