HR giant ADP, which provides payroll, tax and benefits administration for more than 640,000 companies, was hit hard by identity thieves this week. The perps made off with tax and salary data, according to a report from Brian Krebs—although the actual number of people affected has yet to be revealed.
The incident is an example of an increasingly sophisticated population of identity thieves, which uses complex, multi-stage attack vectors to get what they want.
Krebs explained that to access the information, the thieves used employee names from multiple firms to register accounts on an ADP external-facing web portal that employees can use to view their payroll information, including W-2s.
ADP Chief Security Officer Roland Cloutier explained that to create an account, users need to sign up using their name, social security number and date of birth—pretty basic information that can be easily lifted by skilled hackers. But to activate the account, users need a specific link and company code. The victim companies were the ones that published their signup link and code somewhere publically accessible.
“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” said Dana Ripley, a spokesperson for one of the unfortunate victims, U.S. Bank. “We have discontinued that practice.”
Jennie Carlson, executive vice president of human resources at U.S. Bank, penned a letter to “a small population” of affected employees explaining the situation:
“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP…The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
The personal information needed to open the account was not stolen from ADP, Cloutier stressed. But the tactic is an increasingly prevalent one, according to Carl Wright, EVP and general manager of TrapX Security.
“The attack on ADP by cyber thieves is an example of an increasingly sophisticated hack called a FlowJack,” he said via email. “Hackers can penetrate an organization and gain an understanding of the internal workflow and the necessary credentials to hijack target assets. This interception of critical workflow, or FlowJack, enables hackers to steal important data and then intercept and divert the flow of money—in this case, citizens’ tax refunds.”
Adam Levin, chairman and founder of IDT911, told Infosecurity that while ADP isn’t saying much about who the victims are, the overall number of people affected is likely to be significant.
“As ADP works with more than 640,000 companies, this may only be the tip of the iceberg,” he said. “W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims. This puts a huge bullseye on payroll and human resource companies like ADP that handle such a goldmine of personally identifiable information.”