Cybercriminals Strike ADP

W-2 and other employee data stolen from payroll provider

Aliah D. Wright By Aliah D. Wright May 5, 2016

Not even ADP is safe from cybercriminals.

On May 4, the payroll and HR services giant reported that “a small number” of its clients had been affected; the information stolen consisted of tax and salary data.

“It’s important to point out it was not a breach,” said Dick Wolfe, ADP’s senior director of corporate communications, to SHRM Online. “ADP has learned of a small number of clients whose employees have been victimized by fraudulent registrations through [the clients’] self-service registration portal.”

So far, only one of ADP’s clients, U.S. Bancorp, has been publicly identified as a victim of the theft. According to news reports, about 2 percent of the bank’s 67,000 employees had their tax and salary data stolen when thieves used personal information (such as name, address, date of birth) stolen in a previous incident, apparently unrelated to ADP’s, to register accounts in their names.

“Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously (unrelated to ADP), based on ADP’s investigation to date,” Wolfe said.

Some of the employees’ stolen personal information was reportedly used to file fake tax returns.

U.S. Bank representative Dana Ripley told, a website based on the magazine for IT security professionals, that the vulnerability has been resolved. (U.S. Bancorp is a parent company of U.S. Bank.)

“Registration to the portal requires an access code that is unique to each client company,” Wolfe told SHRM Online. “The company registration code is combined with an individual employee’s personal information (e.g., partial Social Security number, date of birth, employee number, etc.) to create a unique access code required for portal registration. In this case, these clients made the unique company registration code available to its employees via an unsecured public website.  The combination of an unsecured company registration code and stolen personal information (via phishing, malware, etc.) enabled the fraudulent access to the portal, based on ADP’s investigation to date.”

Possessing previously stolen identifying information enabled cyberthieves to “walk through ADP’s front door because they already had information about the individual,” said Adam Levin, chairman and founder of IDT911, an identity theft protection company, to SHRM Online in a phone interview.

“W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims,” Levin said. “This puts a huge bull’s-eye on payroll and human resource companies like ADP that handle such a gold mine of personally identifiable information.” ADP serves more 630,000 clients worldwide.

How Organizations Can Help Prevent Breaches

So far in 2016, nearly 350 data breaches and more than 11.36 million records have been stolen, according to the Identity Theft Resource Center (ITRC).

“Security awareness training for employees is as essential as the air we breathe,” Levin said, especially since employees are most vulnerable and represent an organization’s “first line of defense.”

He added that companies can minimize their risk of exposing employee data by:

  • Segregating their HR systems from other systems of record.
  • Making sure only essential personnel have access to sensitive data.
  • Monitoring systems for anomalies.
  • Encrypting data.
  • Having a breach plan in place “so you know who to call, what to do and … how to help your employees.”

HR should “respond urgently, transparently and empathetically” to employees who have fallen victim to cybercrimes.

Once a breach like this occurs, Levin said victims should be notified and told to file IRS Form 14039, which is an identity theft affidavit.  

Levin offered additional advice for cybercrime victims: “You can also contact the Identity Protection Specialized Unit of the IRS at 1-800-908-4490 for additional help with your case. In the meantime, closely monitor your credit records for any suspicious activity and consider setting up fraud alerts and enrolling in a credit and identity monitoring program, or freezing your credit. If it appears that any of your credit or financial accounts have been improperly accessed, close the compromised account (or accounts) immediately to prevent identity thieves from looting them or using them as conduits to gain even more sensitive information about you.”

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Search Jobs


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.