Security Alerts

In May 2016, ADP, a payroll processing company, experienced a data breach that exposed the tax information of some employees of its clients, making them vulnerable to tax fraud and identity theft. Cybercriminals exploited unique ADP corporate registration codes posted on unsecured websites to create fake ADP accounts and access the tax information. The breach was discovered after several customers reported fraudulent transactions made through ADP’s self-service portal, with at least one institution, U.S.

Cyber Security Strategy: 5 Critical Topics for Employee Training

A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. ADP Chief Security Officer Roland Cloutier explained that to create an account, users need to sign up using their name, social security number and date of birth—pretty basic information that can be easily lifted by skilled hackers. But to activate the account, users need a specific link and company code. The victim companies were the ones that published their signup link and code somewhere publically accessible.

If you haven’t been notified yet of the hack, then your password hasn’t been compromised. The big takeaway from this news story is the importance of password security. For example, if you use the same password on all of your online accounts, and a phishing scam like this stole your password, then all of your accounts would be in jeopardy. Drizly, an online alcohol delivery startup, informs its customers their personal information is at risk after a hacker obtained their data during a data breach. It’s estimated that as many as 2.5 million accounts are affected by the incident. Sydney, Australia-based Service NSW, which provides one-stop services for government customers, releases results of investigation of data breach that occurred in April.

Share This Story, Choose Your Platform!

• Data security threats today move fast and are increasingly sophisticated.
• Unfortunately, some companies are not careful with their activation codes, and wind up placing them in the public domain, where they can be scooped up by ever-watchful hackers.
• I went into ADP and seen my direct deposit information had been changed to some random cashapp card which i don’t own.
• Thousands of employee data were used to set up fraudulent ADP accounts, steal employee W-2s, and file false tax returns.

Cybercrime is now using a process called “Flowjacking”, and are able to determine the work and data flow of ADP’s internal processes. They found out that setting up a user account with the company was a two-step process. The first step involves setting up the account, which requires social security numbers and other personal data that is easily available in the underground internet economy. Although the company did not say how many customers were affected by the breach, South African Banking Risk Centre, an anti-fraud and banking non-profit, claims the breach affected 24 million South Africans and 793,749 local businesses. Justice Department charges Joseph Sullivan, 52, former chief security officer at Uber, for allegedly paying hackers $100,000 to hide a 2016 data breach at the company that affected 57 million users and drivers. It says affected stores may have had customer data exposed, including basic contact information, such as email, name, and address, as well as order details, like products and services purchased.

ADP provides payroll, tax and benefits administration for over 640,000 companies. In connection with providing payroll, tax and benefits administration, ADP stores tax and salary information, such as W-2s, for each of its customer’s employees. For some ADP customers, employees can view this information themselves by registering with ADP’s self-service portal. If you’re a growing company and think you’re not a target for identity theft, think again.

How CISO’s Can Survive and Thrive in a Complex Cyber Landscape

This is data with good, reliable resale value, and they can always find a ready market for it. Your organization may be one of the hundreds of thousands that rely on ADP. In this blog I have warned for years that cybercrime has gone pro, and that the sophistication of their attacks is only going up. The last few months they have targeted HR and Accounting, trying to social engineer employees in those departments to respecitvely get W-2 information and large wire transfers done.

• Rather, the workflow itself was breached, and the hackers took advantage of the fact that some companies weren’t as careful as they should have been with their activation codes.
• Singapore’s Personal Data Protection Commission fines Grab, maker of a transportation, logistics, and financial services app, SG$10,000 ($7,325) for a series of data breaches compromising customer data.
• For some ADP customers, employees can view this information themselves by registering with ADP’s self-service portal.

ADP Latest To Get Hit By Hackers – Was Your Account Affected?

Singapore’s Personal Data Protection Commission fines Grab, maker of a transportation, logistics, and financial services app, SG$10,000 ($7,325) for a series of data breaches compromising customer data. The breaches occurred after modifications made to its mobile app exposed to the risk of unauthorized access the information of 21,541 GrabHitch drivers and passengers. Shopify, an online commerce platform, reveals two rogue members of its support team compromised the data of less than 200 merchants doing business on the shopping site. ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked. The second did adp get hacked step is activating the account, and ADP sends activation codes to the companies that set up accounts with them.

With over 640,000 client companies, this had potential to be a catastrophic security breach of employee ID information. ADP relies on static data – name, Social Security Number, date of birth, and a unique company identification code – to authenticate new portal registrants. Unfortunately, due to the multitude of breaches that have occurred over time, such personal information is widely available for purchase by malicious actors on the dark web and the black market. Additionally, many companies post unique ADP identification codes publicly for the convenience of their employees.

Otherwise, the company could be in the news like Snapchat earlier this year. A payroll employee opened an email that was a phishing scam that impersonated Snapchat’s CEO, Evan Spiegel. In the email, a hacker posing as Spiegel requested payroll information for existing and ex-employees. It says 47 staff accounts were compromised and used to steal 3.8 million documents, including 500,000 that contained personal information on 186,000 customers. The ADP hackers used a process called “Flowjacking”, which allowed them to access ADP’s internal processes. The first step requires Social Security numbers and other personal data.

More From Bloomberg Tax

In that instance the hackers retrieved W2 information and filed fake tax returns. The information was obtained by capturing login information, likely through a phishing scheme. Similarly, earlier this year the University of Virginia reported that hackers broke into a component of their HR system and attained access to sensitive employee information such as W2s and banking details.

Adp Latest To Get Hit By Hackers

The breach was discovered after several customers reported fraudulent transactions made through ADP’s self-service portal. Once hackers gain access to the data elements required for registration, they are able to create fraudulent ADP accounts within ADP’s self-service portal for customer employees that had not previously registered for the portal. Hackers can then view W-2 information within those accounts and use them to file fraudulent tax returns on behalf of employees. The posting of these activation codes online is what likely caused the breach. InstaCart, a grocery and home essentials delivery service, denies a data breach is the source of customer information being sold online on hacker forums. It says it believes the information was stolen from its platform using a “credential stuffing” attack.

According to news reports, cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees. ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal. Rather, the workflow itself was breached, and the hackers took advantage of the fact that some companies weren’t as careful as they should have been with their activation codes. Office of the Comptroller of the Currency fines Capital One $80 million for data breach that resulted in the unauthorized access to the data of 100 million current and potential customers.