Tax information for customers of ADP payroll services is now in the hands of hackers who could use the information to make fraudulent claims for tax refunds.
Hackers impersonated the employees of ADP customers, enabling them to register accounts in an ADP system that gave them access to the employees’ W-2 information.
The stolen information could be all that’s needed to file fraudulent tax returns in someone else’s name, inducing the IRS to send refund money to the perpetrators.
ADP is a New Jersey-based payroll processing service provider. Over 640,000 companies contract for ADP payroll services to handle their employees’ paychecks, pay stubs, and benefits administration.
The breach was revealed after U.S. Bank, which contracts with ADP payroll services, sent a letter to its employees who may have been affected. The letter says the bank has been actively investigating the ADP security breach since April 19, 2016.
The bank’s letter attributes the breach to a vulnerability in an external portal for W-2 information. The letter says that portal accounts created for individual employees, but that employees never used, were vulnerable to the ADP security breach.
Hackers were able to sneak into those portal accounts using the employees’ personal information gathered from other sources – information including the employees’ names, dates of birth, and Social Security numbers.
The hackers used that information to impersonate the employee associated with the account, register the account in the employee’s name, then siphon off that employee’s ADP paycheck information.
ADP Payroll Services Responds to the Breach
According to ADP, its customers who both create portals for all their employees and publish the associated ADP portal information in publicly available sources contribute to the risk that breaches like this will happen.
The company says it provides ADP payroll services customers with a customer-specific link and a static code that are both required for their employees to register for the portal.
U.S. Bank has said that it published its own link and code in an online resource openly available to U.S. Bank employees. The bank says it had not considered the link and code to be sensitive information.
ADP says it has since developed systems that monitor the internet to make sure other customers aren’t inadvertently exposing their links and codes.
ADP stresses that the hackers got the employees’ other personal information from an outside source, not from any ADP system.
Hackers had used similar tactics previously to break into the IRS’s Get Transcript application. Using personal information gathered from other sources, hackers were able to round up data from about 724,000 compromised taxpayer accounts.
Neither U.S. Bank nor ADP has revealed how many employees’ data was compromised. Both companies say the number of employees was limited, however. ADP also says it has experienced similar breaches this year involving a small subset of its other customers.
For affected employees, or for those who merely suspect that their ADP paycheck information was compromised, the IRS recommends filling out and sending in Form 14039, an Identity Theft Affidavit.
In cases where a fraudulent return has already been filed, affected employees can file their own authentic return with Form 14039 attached.
Join a Free ADP Data Breach Class Action Lawsuit Investigation
If your employer uses ADP to process payroll and you received an ADP paycheck or ADP W2 tax form, you could become the victim of tax fraud. You may be eligible to join a class action lawsuit investigation to help compensate you for past and future losses.
ATTORNEY ADVERTISING
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
Top Class Actions Legal Statement
©2008 – 2025 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
One thought on ADP Payroll Services Compromised by Data Breach
Add me to the suit