ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the adp security breach unauthorized accounts at ADP’s portal. US Bank’s Ripley then admitted that the bank made the company code accessible by publishing the link to an employee resource online. In January 2020, the Meadville Medical Center in Pennsylvania had a security breach with their payroll system which resulted in unauthorized exposure of employee personal data and their dependents’ personal information.
Enhance Your Business Resilience by Securing Your Mainframe
Bank did acknowledge that the link and company code to the ADP portal was published to an online employee resource. An attacker could also access a range of personal data including name, birth date, physical address, pay stubs, or Social Security number — all the information they’d need to commit identity theft. They could also locate an employee’s tax documents, which could be used to file fraudulent tax returns on the worker’s behalf and redirect the funds to attackers’ accounts. This same kind of assurance didn’t go the way of the two recently-targeted companies. In fact, this is not the first time third-party providers were used as a channel for compromise. In the past, it was pointed out that securing the enterprise requires a more holistic approach in terms of keeping security gaps to a minimum.
Predicting and Prioritizing Cyber Attacks Using Threat Intelligence
Tax information for customers of ADP payroll services is now in the hands of hackers who could use the information to make fraudulent claims for tax refunds. ADP relies on static data – name, Social Security Number, date of birth, and a unique company identification code – to authenticate new portal registrants. Using personal information gathered from other sources, hackers were able to round up data from about 724,000 compromised taxpayer accounts.
Jaguar Cyber Incident “Severely Disrupts” Sales and Operations
The attack occurred in September 2024, with the stolen data surfacing online by December of the same year. At the time of the breach, Broadcom was still in transition from ADP to a new payroll provider and was indirectly impacted by the compromise. The bottom line is keep HR, as well as all employees, educated and security systems up to date. A payroll employee opened an email that was a phishing scam that impersonated Snapchat’s CEO, Evan Spiegel. In the email, a hacker posing as Spiegel requested payroll information for existing and ex-employees.
SAP S/4HANA Users Urged to Patch Critical Exploited Bug
- According to news reports, cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees.
- “Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” read the letter, which was obtained by independent security journalist Brian Krebs.
- If you’re guilty of reusing, rotating, or using notoriously easy passwords, you are leaving yourself open to an account breach.
- If an organization had previously posted its unique ADP registration code publicly, the company should consider investigating whether any unusual or fraudulent activity took place with respect to ADP’s self-service portal.
Bank, which contracts with ADP payroll services, sent a letter to its employees who may have been affected. The letter says the bank has been actively investigating the ADP security breach since April 19, 2016. According to news reports, cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees. ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal.
“In late September, 2024, BSH/ADP became aware of the ransomware attack,” reads an email to affected individuals. It’s understood Broadcom’s HR department has begun the process of informing current and former staff who are affected by the September ransomware attack at Business Systems House (BSH). If you use ADP, your best move from here is to contact them directly to find out if any of your employee records were impacted. It is also probably a good idea to have your networked scanned and evaluated for security risks.
The hacked companies reset the passwords of the affected accounts and notified the affected users of the breach. The website with the most passwords stolen was Facebook with 318,000, however the hacked company that possesses the biggest risk to businesses is ADP, which is a popular payroll management app. By way of inserting a malicious code into the software, hackers managed to access information provided by customers making purchases. Dave, an overdraft and cash advance service, confirms data breach resulting in the theft of a database containing 7.5 million user records. Payroll processing giant, ADP, recently divulged a breach that exposed tax information of employees of some of its clients, exposing them to tax fraud and identity theft. The 60-year-old Paterson, New Jersey-based company looked into the unauthorized access after a number of customers in its client base came forward with reports of fraudulent transactions made through its ADP self-service portal.
Tips to help prevent identity theft:
- ADP Chief Security Officer Roland Cloutier explained that to create an account, users need to sign up using their name, social security number and date of birth—pretty basic information that can be easily lifted by skilled hackers.
- Dave, an overdraft and cash advance service, confirms data breach resulting in the theft of a database containing 7.5 million user records.
- In January 2020, the Meadville Medical Center in Pennsylvania had a security breach with their payroll system which resulted in unauthorized exposure of employee personal data and their dependents’ personal information.
- Submit our vulnerability reporting form so that the ADP security team may validate and reproduce the issue.
In those cases, the fraudsters also already had the victim’s SSN, DoB and other personal data. ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.
Payroll & Compliance – The Monthly Chronicle – July 2022
Sydney, Australia-based Service NSW, which provides one-stop services for government customers, releases results of investigation of data breach that occurred in April. It says affected stores may have had customer data exposed, including basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Credit card and other financial information was not affected by the incident, it adds. The company says it provides ADP payroll services customers with a customer-specific link and a static code that are both required for their employees to register for the portal.
Reporting suspected fraudulent activityIf you would like to report suspected fraudulent activity, please contact your client service representative. The incident is an example of an increasingly sophisticated population of identity thieves, which uses complex, multi-stage attack vectors to get what they want. If you are an employee of an ADP client and are concerned about the breach, you may visit Have I Been Pwned to check if your credentials have been compromised.
ADP is the world’s largest HR firm, handling tax and payroll accounts for more than 640,000 companies that collectively employ millions of people. It may be possible that your company is one of the hundreds of thousands that rely on ADP for this function. Information that was hacked included names, social security numbers, bank account details, date of birth, and addresses.
Everything you need to reduce human risk — all in one platform.
It adds theft did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Blackbaud, a service provider for charitable organizations, in a report to the U.S. Securities and Exchange Commission, reveals bank account information and users’ passwords are among the details stolen by hackers in a security breach that occurred earlier this year. The company previously said payment details were not affected by the attack, which has affected hundreds of universities, healthcare providers, and other organizations around the globe.
In connection with providing payroll, tax and benefits administration, ADP stores tax and salary information, such as W-2s, for each of its customer’s employees. For some ADP customers, employees can view this information themselves by registering with ADP’s self-service portal. ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked. The breach was discovered after several customers reported fraudulent transactions made through ADP’s self-service portal. InstaCart, a grocery and home essentials delivery service, denies a data breach is the source of customer information being sold online on hacker forums. It says it believes the information was stolen from its platform using a “credential stuffing” attack.