ADP Payroll Customers on Alert for Tax Fraud Risk

Hackers were able to successfully access a W-2 portal maintained by ADP Payroll Services recently to steal sensitive information about employees at a handful of companies.

Account Data Processing or ADP is the world’s largest HR firm, handling tax and payroll accounts for more than 640,000 companies that collectively employ millions of people.

ADP Payroll Services provides organizations with a public-facing portal website that allows employees to access payroll information, including W-2 forms and ADP paycheck information.

An employee must provide their unique registration code and personal information, including Social Security Numbers and birth dates, to access their organization’s ADP site.

How Did the ADP Security Breach Happen?

Using a process called “flowjacking”, hackers were able to conduct the ADP security breach, determining the work and data flow of ADP’s internal processes. They found out, for example, that setting up a user account with the company was a two-step process.

The first step involves setting up the account, which requires social security numbers and other personal data (i much of which can be obtained from an ADP paycheck) that hackers are very good at getting their hands on.

The second step is activating the account, and ADP sends activation codes to the companies that set up accounts with them. Unfortunately, some companies are not careful with their activation codes, and wind up placing them in the public domain, where they can be scooped up by hackers and used for tax fraud or identity theft purposes.

Armed with a stolen social security number and a code grabbed from some public domain source, hackers can inject themselves into ADP’s normal process, and make off with thousands, and perhaps even millions of people’s personal information.

ADP Payroll Services Says Some Fault May Lie With Customers

Such data, according to the ADP Payroll Services, were not harvested from its systems, but must have already been in the hands of the hackers.

ADP Payroll Services officials said there is no evidence that the company’s servers were hacked, rather its clients had not protected registration keys to its portal.  The company noted that certain customers posted their unique ADP corporate registration codes to an unsecured website.

ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked. Rather, the workflow itself was breached, and the hackers took advantage of the fact that some companies weren’t as careful as they should have been with their activation codes.

KrebsOnSecurity journalist Brian Krebs noted that at least one institution, U.S. Bancorp (U.S. Bank), has been directly impacted by the ADP security breach.

U.S. Bank, one of America’s most sizable commercial banks, has duly notified a portion of its workforce affected by the stolen W-2 data, pointing to a “weakness in ADP’s customer portal”. However, Krebs notes that more could be affected by the ADP Payroll Services data hack.

If you believe you were a victim of tax fraud or identity theft as a result of the ADP Payroll Services security breach, you may have grounds for legal action.

Join a Free ADP Data Breach Class Action Lawsuit Investigation

If your employer uses ADP to process payroll and you received an ADP paycheck or ADP W2 tax form, you could become the victim of tax fraud. You may be eligible to join a class action lawsuit investigation to help compensate you for past and future losses.

Join Now