ADP Payroll Information Helps Cyber Thieves Commit Tax Fraud

Computer security is like a chainlink fence; all it takes is one weak link, and the information wiggles through.

ADP Payroll claims a weak link not of their making is what led to the sensitive tax and salary information at a dozen companies to end up in the hands of cyber thieves.

While ADP has not confirmed when the theft occurred, the company has stated that that “around a dozen” of it’s 630,000 corporate clients were affected.

How Did ADP Payroll Become Vulnerable?

ADP explains that its own computers were not hacked. In fact, many of its company clients allow employees to access their payroll information online. Employees can access past ADP W2 forms and past pay stubs in order to do their taxes, apply for loans, etc.

ADP Payroll offers the online access to corporate clients by using a public-facing website. In order to register for the service, an employee has to enter some personal information, such as a Social Security number or a date of birth. The employee also has to use a “unique company registration code.”

ADP says the problem is that some companies, such as corporate customer US Bank, published its unique ADP link on a public website meant only for US Bank employees.

Cyber thieves took the initiative to tap into the ADP Payroll accounts of employees who had not yet signed up for the service. Somehow, the criminals obtained some company registration codes and put those together with previously stolen personal information.

It is believed that some employees might have inadvertently published registration codes because they thought they were on an internal-only server.

“The combination of an unsecured company registration code and stolen personal information enabled the fraudulent access to the portal,” ADP told CNNMoney in a statement.

As a result, nearly 1,400 US Bank employees, or 2% of the company, received letters stating their ADP W2 forms could have been downloaded. That means the employees could be the victims of tax fraud if fraudulent income tax returns were filed in their names.

Putting Together the ADP Payroll Puzzle

Interestingly, this incident is not being labeled a “hack” because there is no evidence that criminals broke into anything. Instead, they used previously stolen pieces of information and put it together to commit tax fraud.

ADP appears to shift blame to its clients for not fully securing ADP’s document-sharing service.

“Publishing unique registration codes to an unsecure website is not common practice,” said ADP. “ADP actively advises against this practice and notifies clients of the potential risks, and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion.”

Although ADP Payroll will not say when the incident was uncovered, US bank has been investigating the issue with ADP since April 19, 2016, according to letters to employees from Jennie Carlson, US Bank’s Executive Vice President of Human Resources.

Has Your Information Been Compromised?

If you or someone you know works for a company that uses ADP Payroll, your personal information could have been compromised and used for tax fraud by someone filing a fake tax return.

No one should have to worry that the very system they rely upon to deliver their paychecks could turn on them and make them vulnerable to cyber thieves.

Join a Free ADP Data Breach Class Action Lawsuit Investigation

If your employer uses ADP to process payroll and you received an ADP paycheck or ADP W2 tax form, you could become the victim of tax fraud. You may be eligible to join a class action lawsuit investigation to help compensate you for past and future losses.

Join Now