An Alabama federal judge refused on Thursday to toss a proposed class action against software company Innovak International brought by residents who allege the company knew at least two years ago about the weaknesses in its system’s security that led to an April data breach.
Read more on Law360 (sub. required).
For more background on the breach, read previous coverage on this site.
So Innovak International never responded to my inquiries, but an IRS investigator reportedly told others that 14 school systems – three in Alabama and 11 in Mississippi – were impacted by their breach involving employees’ w-2 statements.
Innovak’s web site, which never looked particularly confidence-inspiring to me to begin with, has a statement that says:
We are currently undergoing a “renovation” of this web site. Please email us if you notice anything not quite right.
The copyright date on the site is 2000-2001, and it informs users who may be experiencing problems to go download the most recent version of Netscape.
Aha. I see Brian Krebs got some answers before I did concerning a breach involving ADP. On April 30, I had reported that Allegheny College suspected that employee reports of W-2 data comprise were linked to a breach involving ADP’s iPay. In an email to this site earlier today, Rick Holmgren, the college’s vice-president of Information Services and Assessment said he still had no idea how unauthorized third parties were able to register accounts on iPay. ADP, contacted several times by DataBreaches.net yet, has yet to provide the requested explanation.
Enter Brian Krebs to the rescue. Brian reports that the criminals were able to steal wage and tax data from ADP by registering accounts in the names of employees at “more than a dozen customer firms.”
ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.
Last week, U.S. Bancorp(U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.
…. A reader who works at the financial institution shared a letter received from Jennie Carlson, U.S. Bank’s executive vice president of human resources.
“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote. “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
The letter continued:
“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
[….]
According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.
The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.
Read more on KrebsOnSecurity.com.
The problem being described appears different than the problem being reported in connection with Greenshades clients. As I’ve reported previously on this site, Greenshades claims their clients’ employees had their W-2 data compromised because they used their DOB and SSN as their login credentials, and criminals who obtained that information elsewhere were then able to login as the employees and download their W-2 data. Other clients’ employees, they claim, likely fell for a phishing scheme directing them to a fake Greenshades domain.
ADP and Greenshades are not the only payroll or W-2 vendors whose clients have been reporting problems. As also noted previously on this site, Innovak customers in Mississippi and Alabama have reported problems, and Stanford University and its vendor, W-2 Express, are still investigating how over 700 Stanford employees had their W-2 data stolen.
How many other vendors have experienced compromises remains unknown, as some entities reporting breaches of their employees’ W-2 data are not naming their vendors.
Might this be a good time for all vendors to review and strengthen their authentication procedures?
Jacque Masse reports on another breach that is linked to Innovak:
Some Lamar County School District employees’ had their personal information compromised after an employee portal experienced a data breach.
According to Lamar County Superintendent Tess Smith, the district uses a company called INNOVAK that allows staff to access their pay stubs and W2s through the internet.
Smith said the company experienced a security breach that affected several school districts in Mississippi and Alabama.
Read more on WDAM. As noted in my coverage of the Escambia County School System breach report, DataBreaches.net reached out to Innovak International on April 5, but has received no response to inquiries about their breach. A second request has been sent today.
WDAM reports:
According to INNOVAK, the breach was only related to employee W2s and no other information was accessed.
Smith said INNOVAK has locked down the portal, and precautions and safety measures have been put into place.
So how many school district clients of Innovak have been impacted by this breach, and how many individuals, total?
UPDATE 1: Later today, WDAM updated their story to name two other school districts that have also been impacted by the Innovak Intl breach: Marion County and Columbia school districts:
About 20 employees from the Columbia School District were affected. In the Marion County school district, 12 were affected.
In Alabama, at least three districts have been affected: Escambia County Schools, Dothan City, and Alexander City. More than 100 employees from those three districts have been affected.
Stephanie Nelson reports:
The Escambia County School System is one of three in the state hit with a payroll accounting system security breach that allowed fraudulent tax returns to be filed in employee names.
The systems, which include Alexander and Dothan city, use Innovak – a Spartanburg, S.C.-based provider platform for financials. Ongoing investigations at those systems revealed that employee personal data was taken from a source “upstream” of its computer system or a source totally outside of it, such as individual financial institutions.
EC Superintendent John Knott said Wednesday he was notified over spring break about the possible situation. In the beginning, it did not appear the local system was involved in the breach; however, cases are beginning to appear.
Read more on Brewton Standard.
DataBreaches.net sent an inquiry to Innovak yesterday, but has received no response as yet.