A
data breach at ADP, a large payroll processing provider, has exposed an unknown number of U.S. workers to possible tax fraud.
Security blogger Brian Krebs of KrebsOnSecurity was first to report publicly on the data breach. Krebs writes that identity thieves used sensitive information gathered from other sources to register for ADP Payroll online accounts in the names of employees who had not yet registered themselves.
New Jersey-based ADP provides payroll services for over 640,000 companies. The company’s reach is so widespread, most U.S. workers have received at least one ADP-printed paycheck during their lifetime.
How the ADP Data Breach Happened
According to Krebs, the breach began to be revealed when U.S. Bancorp sent out a warning to some of its employees saying that their sensitive financial information had been compromised by unauthorized access through ADP’s customer portal.
A letter received by one U.S. Bank employee says the institution had been investigating the incident since April 19, 2016. The letter warns employees that the hackers gained access to employees’ W-2 information, which could be used to file a fraudulent income tax return.
The letter appeared to lay blame for the breach on ADP, for maintaining the external online portal that had been exploited. ADP later confirmed that other data breaches similar to those involving U.S. Bank employees had affected employees of other ADP payroll customers.
To successfully create the fraudulent registrations, ADP says, the perpetrators must have already had certain essential personal information gathered from some other source – information including the employee’s name, date of birth, and Social Security number.
Registration would also require two pieces of information that did come from ADP: a custom, company-specific link and a static code. Again, ADP says the hackers did not get that information from ADP but rather from ADP payroll customers who inadvertently had published both the link and the code online.
With that much information, the hackers were able to register on behalf of employees whose companies had deferred their registration to a later date. At that point, the hackers had access to those employees W-2 data and all they needed for tax fraud.
A spokesperson for U.S. Bank says the company did publish the link and code via an internal resource for its employees’ convenience, without realizing the two pieces of information could be sensitive.
Krebs comments that ADP’s portal had been relying “entirely on static data that is available on just about every American for less than $4 in the cybercrime underground” – information like address, date of birth, and Social Security number.
Neither ADP nor U.S. Bank has revealed how many persons’ data has been exposed.
Data Breach Victims at Risk for Tax Fraud
With the sensitive W-2 information exposed via the breach, hackers – or whoever they sell their ill-gotten data to – may be able to commit tax fraud by filing bogus tax returns on behalf of the affected employees.
According to Bankrate.com, the IRS says that tax filers who know or even just suspect their data has been compromised can submit Form 14039, the Identity Theft Affidavit. The agency says this form puts them on alert for signs of tax fraud that could show up on a fake return. Bankrate also recommends affected persons keep an eye on all their other financial information, like their credit reports.
Tax fraud attorneys are now investigating what further remedies may be available for employees affected by the data breach.
Join a Free ADP Data Breach Class Action Lawsuit Investigation
If your employer uses ADP to process payroll and you received an ADP paycheck or ADP W2 tax form, you could become the victim of tax fraud. You may be eligible to join a class action lawsuit investigation to help compensate you for past and future losses.
ATTORNEY ADVERTISING
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
Top Class Actions Legal Statement
©2008 – 2026 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
One thought on ADP Data Breach May Result in Tax Fraud