ADP is calling it "a small number" of affected clients, but some employees of the payroll provider's client firms have had tax and salary data stolen after cybercriminals gained entry through fraudulent registrations on ADP clients' self-service registration portal.
According to the Society for Human Resource Management's SHRM Online, the thieves were able to access the stolen data via company access codes to ADP's portal when those companies made the codes available through an unsecured public website. The information taken included tax and salary data. In one case involving ADP client U.S. Bancorp, W-2 information was also stolen.
Dick Wolfe, ADP's senior director of corporate communications, was quoted in the report saying, "It's important to point out it was not a breach." Instead, Wolfe says, access was gained because client companies did not adequately safeguard their unique access codes. The previous theft of other personal information, such as name, address and date of birth, allowed the cyberattackers to register fraudulent accounts in the employees' names.
In addition, some of the stolen personal data was used to file phony tax returns with the IRS.
The report cited Identity Theft Resource Center (ITRC) data indicating that so far this year, almost 350 data breaches have taken place, resulting in the theft of more than 11.36 million records.
Adam Levin, chairman and founder of IDT911, an identity theft protection company, says in the report that companies can cut the risk of exposure of employee data by several actions: the segregation of HR systems from other record systems; limitations on access to sensitive data; observation of systems for anomalies; encryption of data; and the presence of a plan to deal with consequences if the worst should happen and a system is breached.
In the event of a breach, companies should also notify victims and advise them to file IRS Form 14039, an identity theft affidavit.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.