Cyber thieves have succeeded in stealing sensitive tax and salary information on employees at a dozen companies that use the payroll giant ADP.
On Tuesday, ADP ( explained how fraudsters managed to siphon W-2 tax forms using a convenient online feature. )
The incident seems small in scope. But it shows how fraudsters have adopted novel techniques to steal personal information — especially the kind that can later be used to claim tax refunds.
ADP didn’t say when the theft occurred, and wouldn’t tell CNNMoney how many people had their detailed income data exposed. But it noted the incident affected “around a dozen” of the company’s 630,000 corporate clients.
One of them is US Bank, ( where 1,400 people were affected. That’s about 2% of the company, according to the bank. )
Here’s how it happened, according to ADP. Many companies provide pay information to their employees online. This makes it easier to download past W-2 forms whenever they’re needed for doing taxes or applying for a loan.
ADP offers this to their corporate clients via a public-facing website. To register, an employee has to use a “unique company registration code” and some personal information, such as a Social Security number and birthday.
US Bank, for example, told CNNMoney it published its special ADP link on a public website meant for bank employees.
Criminals took advantage of the fact that employees at some companies hadn’t yet signed up for the service. They managed to get a hold of some company registration codes, then paired that with stolen employee personal information.
“The combination of an unsecured company registration code and stolen personal information enabled the fraudulent access to the portal,” ADP told CNNMoney in a statement.
ADP said there’s “no evidence” its own computers have been hacked, and seemed to blame clients for not properly guarding keys to its document-sharing feature.
“Publishing unique registration codes to an unsecure website is not common practice. ADP actively advises against this practice, notifies clients of the potential risks, and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion,” it said.
ADP acknowledged this incident after it was revealed by cybersecurity reporter Brian Krebs and said it’s working with “a federal law enforcement task force” to investigate what happened.
It’s the latest example that shows how much personal information hackers have amassed on the black market — and how it’s being repurposed by identity thieves for all sorts of fraud.
The data leak — which isn’t quite a hack because there’s no sign criminals ever broke into anything — bears striking resemblance to an episode last year involving the IRS website.
In that case, an organized crime syndicate used stolen personal information to turn a convenient IRS feature into a leaky faucet.
The data stolen in the ADP leak makes it easier for hackers to steal tax refunds next year. All it takes to file a fake return is a person’s name and Social Security number. While the IRS has improved its anti-fraud system to catch wildly erroneous returns, criminals armed with accurate salary information are more likely to pull this off.