Not a Member? Get access to HR news and resources that you can trust.
Don't leave the task of calculating total cost of workforce to the finance department.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
60+ new SHRM Seminar dates in 10 U.S. cities and virtually.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
W-2 and other employee data stolen from payroll provider
Not even ADP is safe from cybercriminals.
On May 4, the payroll and HR services giant reported that “a small number” of its clients had been affected; the information stolen consisted of tax and salary data.
“It’s important to point out it was not a breach,” said Dick Wolfe, ADP’s senior director of corporate communications, to SHRM Online. “ADP has learned of a small number of clients whose employees have been victimized by fraudulent registrations through [the clients’] self-service registration portal.”
So far, only one of ADP’s clients, U.S. Bancorp, has been publicly identified as a victim of the theft. According to news reports, about 2 percent of the bank’s 67,000 employees had their tax and salary data stolen when thieves used personal information (such as name, address, date of birth) stolen in a previous incident, apparently unrelated to ADP’s, to register accounts in their names.
“Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously (unrelated to ADP), based on ADP’s investigation to date,” Wolfe said.
Some of the employees’ stolen personal information was reportedly used to file fake tax returns.
U.S. Bank representative Dana Ripley told SCMagazine.com, a website based on the magazine for IT security professionals, that the vulnerability has been resolved. (U.S. Bancorp is a parent company of U.S. Bank.)
“Registration to the portal requires an access code that is unique to each client company,” Wolfe told SHRM Online. “The company registration code is combined with an individual employee’s personal information (e.g., partial Social Security number, date of birth, employee number, etc.) to create a unique access code required for portal registration. In this case, these clients made the unique company registration code available to its employees via an unsecured public website. The combination of an unsecured company registration code and stolen personal information (via phishing, malware, etc.) enabled the fraudulent access to the portal, based on ADP’s investigation to date.”
Possessing previously stolen identifying information enabled cyberthieves to “walk through ADP’s front door because they already had information about the individual,” said Adam Levin, chairman and founder of IDT911, an identity theft protection company, to SHRM Online in a phone interview.
“W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims,” Levin said. “This puts a huge bull’s-eye on payroll and human resource companies like ADP that handle such a gold mine of personally identifiable information.” ADP serves more 630,000 clients worldwide.
How Organizations Can Help Prevent Breaches
So far in 2016, nearly 350 data breaches and more than 11.36 million records have been stolen, according to the Identity Theft Resource Center (ITRC).
“Security awareness training for employees is as essential as the air we breathe,” Levin said, especially since employees are most vulnerable and represent an organization’s “first line of defense.”
He added that companies can minimize their risk of exposing employee data by:
HR should “respond urgently, transparently and empathetically” to employees who have fallen victim to cybercrimes.
Once a breach like this occurs, Levin said victims should be notified and told to file IRS Form 14039, which is an identity theft affidavit.
Levin offered additional advice for cybercrime victims: “You can also contact the Identity Protection Specialized Unit of the IRS at 1-800-908-4490 for additional help with your case. In the meantime, closely monitor your credit records for any suspicious activity and consider setting up fraud alerts and enrolling in a credit and identity monitoring program, or freezing your credit. If it appears that any of your credit or financial accounts have been improperly accessed, close the compromised account (or accounts) immediately to prevent identity thieves from looting them or using them as conduits to gain even more sensitive information about you.”
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies