The number of those affected by a breach into an Equifax subsidiary remains unclear, but what is known is that intruders were able to access customers' W-2 tax data, according to a report from security investigator Brian Krebs.
The Equifax subsidiary, TALX, which provides online payroll, HR and tax services, was penetrated between April 17, 2016 and March 29, 2017, Krebs reported, after bad actors reset the four-digit PIN provided as a password to customer employees. Once armed with that key, along with responding correctly to several personal questions, the miscreants were able to siphon out the accounts' W-2 tax data.
While Equifax alerted potentially affected clients, the extent of the damage has not been revealed as yet. However, owing to state data breach notification laws, Krebs was able to discover that at this point at least five enterprises received notices from Equifax, including Northrop Grumman and the University of Louisville.
“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees' PINs (the password to the online account portal),” Nicholas A. Oldham, an attorney representing TALX, wrote in a statement filed with the New Hampshire attorney general.
Krebs quoted Avivah Litan, a fraud analyst with Gartner, criticizing Equifax for depending on a simple PIN as a password “There's about 500 percent more protection for credit card data right now than there is for identity data,” Litan told Krebs. She added that she was not aware of any document from the federal government that defines measures credit bureaus should take to protect their customers' personally identifiable information (PII).
"Identity thieves prize the W-2 and payroll data held by companies like TALX because they can use it to file fraudulent tax refund requests with the IRS and the states on behalf of victim consumers," Krebs wrote. In fact, he pointed out, based on Internal Revenue Service statistics, some 787,000 Americans reported being victimized by tax refund fraud last year.