“During the course of that investigation, we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2.”The letter warned that the stolen tax and salary data may have been used to file a fraudulent income tax return under the employee’s name. U.S. Bank explained fraudsters created unauthorized accounts for employees who had not yet registered on ADP’s portal using confidential personal information from other sources. ADP stressed that fraudsters also needed to have the victim’s name, date of birth and Social Security number in order to create the account, which did not come from its systems. “Once the fraudulent registration was established, they were able to view or download your W-2,” said Carlson. Meanwhile, Krebs reported that U.S. Bank did acknowledge that the link and company code to the ADP portal was published to an online employee resource.
“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” explained U.S. Bank spokesman Dana Ripley.The company noted it has since discontinued that practice, while ADP says it has developed a system to monitor the Web for such signup links and access codes. To learn more more about how Tripwire can help you stay secure, click here.