Philadelphia-based PREIT (Pennsylvania Real Estate Investment Trust) became the latest firm to disclose that its Human Resources information on employees and their dependents and beneficiaries had been accessed by an unknown third party from an UltiPro-hosted system. PREIT learned of the breach on April 16.
In April, when Brian Krebs first reported on breaches associated with UltiPro, he quoted their spokesperson’s explanation:
Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.
Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”
In their May 8th notification to the New Hampshire Attorney General’s Office and letter to those affected, PREIT’s lawyers do not explain how the third party obtained access to their files on UltiPro on February 23, so it’s possible that this is another case where a firm’s login credentials were obtained and then misused as opposed to any hack of UltiPro’s systems.