ADP joins ranks of vendors associated with W-2 data compromise

Aha. I see Brian Krebs got some answers before I did concerning a breach involving ADP. On April 30, I had reported that Allegheny College suspected that employee reports of W-2 data comprise were linked to a breach involving ADP’s iPay. In an email to this site earlier today, Rick Holmgren, the college’s vice-president of Information Services and Assessment said he still had no idea how unauthorized third parties were able to register accounts on iPay. ADP, contacted several times by DataBreaches.net yet, has yet to provide the requested explanation.

Enter Brian Krebs to the rescue. Brian reports that the criminals were able to steal wage and tax data from ADP by registering accounts in the names of employees at “more than a dozen customer firms.”

ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.

Last week, U.S. Bancorp(U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.

…. A reader who works at the financial institution shared a letter received from Jennie Carlson, U.S. Bank’s executive vice president of human resources.

“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote. “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”

The letter continued:

“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”

[….]

According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.

The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.

Read more on KrebsOnSecurity.com.

The problem being described appears different than the problem being reported in connection with Greenshades clients. As I’ve reported previously on this site, Greenshades claims their clients’ employees had their W-2 data compromised because they used their DOB and SSN as their login credentials, and criminals who obtained that information elsewhere were then able to login as the employees and download their W-2 data. Other clients’ employees, they claim, likely fell for a phishing scheme directing them to a fake Greenshades domain.

ADP and Greenshades are not the only payroll or W-2 vendors whose clients have been reporting problems. As also noted previously on this site, Innovak customers in Mississippi and Alabama have reported problems, and Stanford University and its vendor, W-2 Express, are still investigating how over 700 Stanford employees had their W-2 data stolen.

How many other vendors have experienced compromises remains unknown, as some entities reporting breaches of their employees’ W-2 data are not naming their vendors.

Might this be a good time for all vendors to review and strengthen their authentication procedures?

About the author: Dissent