At least one major corporation that uses ADP as its payroll vendor had some of its employees W-2 tax information compromised.
ADP reported that the company has learned that a small number of its clients have said some of their employees have been victimized by fraudulent registrations through an ADP self-service portal. The only company so far identified as being involved is U.S. Bancorp. Although, according to a report on KrebsonSecurity, up to a dozen others could be involved.
U.S. Bancorp spokeswoman Dana Ripley told SCMagazine.com that the vulnerability has been resolved for her firm and that issue may have impacted about two percent of its workforce. The company employees about 60,000 people.
ADP said the situation was created when certain companies posted, to an unsecure website, their unique ADP corporate registration code. This information was then used to create employee ADP accounts. To do this the criminal had to locate an unregistered account and then use the personal identifiable information gleaned from the web in conjunction with the corporate ID number to properly register the individual. Once this was done the bad guys could view that person's W-2 information.
"Registration to the portal requires an access code that is unique to each client company. The company registration code is combined with an individual employee's personal information (e.g., partial SSN, DOB, employee number, etc.) to create a unique access code required for portal registration. In this case, these clients made the unique company registration code available to its employees via an unsecured public website. The combination of an unsecured company registration code and stolen personal information (via phishing, malware, etc.) enabled the fraudulent access to the portal, based on ADP's investigation to date," said Dick Wolfe, ADP's
senior director of corporate communications.
Wolfe reiterated that there is no evidence an ADP system housing employee data was compromised.
One industry observer said both sides were to blame for the situation.
“ADP confirmed a weakness in their customer portal — exacerbated by careless security hygiene on the part of their customer companies — that hackers exploited to access the W-2 data of a number of employees at more than a dozen client firms. As ADP works with more than 640,000 companies, this may only be the tip of the iceberg,” Adam Levin, chairman and founder of IDT911, told SCMagazine.com in an email.