Cloud-based human resources company ComplyRight fell victim to a data breach which compromised customer information.
It is unclear how many were affected however, names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company's thousands of clients on behalf of employees were compromised in the incident.
“On May 22, 2018, ComplyRight initially learned of a potential issue involving our tax reporting web platform,” the Pompano Beach, Fla-based firm said in a security notice. “After investigation, we concluded that a criminal cyberattack had targeted some of the personal information maintained on the websites using our platform.”
The firm said an attacker gained unauthorized access to its platform and that “a portion (less than 10%)” of those whose tax forms were prepared by the company, were affected by the incident. ComplyRight has reported the incident to the IRS and regulators, including state Offices of Attorney General, as required.
Jeannie Warner, security manager at leading application security provider WhiteHat Security said according to her firm's research an alarming number of web applications remain ‘always vulnerable' and susceptible to attack every single day of the year.
“As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W2s,” Warner said. “The fact that the company touts its security prowess, yet Brian Krebs couldn't identify a single employee with a security title, is deeply concerning--and just another reason for consumers to question their trust in digital businesses.”
She added that organizations that rely on digital platforms should empower developers to code using security best practices in mind throughout the entire software development life cycle, with proper training and even security certifications.
NuData Security Vice President Ryan Wilk said the “breach underscores once again, for merchants and financial institutions, that mere reliance on passwords and usernames is insufficient to protect their organisation and their customers from online fraud.”
Wilk added that every organization handling sensitive data should lock down their security, and to stop relying personally identifiable information to verify users which are easily stolen and easily reused.