Payroll processing provider ADP has confirmed fraudsters gained access to some clients’ online portals and compromised the W-2 data of employees at more than a dozen customer firms.
According to ADP, however, the theft occurred after the impacted companies mistakenly published unique access codes to employee accounts online.
The New Jersey-based company provides payroll, tax and benefits administration services to more than 640,000 businesses and corporations – one of them being U.S. Bank, where an estimated 1,400 employees were affected.
U.S. Bank employees were notified of the breach in a letter written by the financial institution’s executive vice president of human resources, Jennie Carlson.
“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” read the letter, which was obtained by independent security journalist Brian Krebs.
“During the course of that investigation, we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2.”
The letter warned that the stolen tax and salary data may have been used to file a fraudulent income tax return under the employee’s name.
U.S. Bank explained fraudsters created unauthorized accounts for employees who had not yet registered on ADP’s portal using confidential personal information from other sources.
ADP stressed that fraudsters also needed to have the victim’s name, date of birth and Social Security number in order to create the account, which did not come from its systems.
“Once the fraudulent registration was established, they were able to view or download your W-2,” said Carlson.
Meanwhile, Krebs reported that U.S. Bank did acknowledge that the link and company code to the ADP portal was published to an online employee resource.
“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” explained U.S. Bank spokesman Dana Ripley.
The company noted it has since discontinued that practice, while ADP says it has developed a system to monitor the Web for such signup links and access codes.