Cybercriminals Infiltrate ADP Tax Portal, Make Off with W-2 Data
Fraudsters obtained tax and salary data on employees of more than a dozen corporate clients of payroll services provider ADP—information that could be used to file fraudulent tax returns. U.S. Bank was among the companies targeted in the unauthorized access, which was first reported by Krebs on Security. A letter from the bank’s HR department to its affected employees revealed that the breach was discovered on April 19.
The identity thieves were able to access the data by creating fake registrations on ADP’s external W-2 portal using personal information—including names, birthdates and Social Security numbers—obtained elsewhere. Once registered, the fraudsters were able to view and download W-2 forms. Only employees who did not have existing registrations with the portal were affected, according to the letter, which was sent to a “small” percentage of the bank’s 64,000 employees, according to Krebs. The hackers were able to access ADP’s external portal in the first place because fraudsters found client company access codes on unsecured Websites, the report added. ADP said none of its internal systems have been compromised, but it’s working with a federal law enforcement task force to identify the fraud perpetrators.
“ADP provides education, awareness training, and information to clients and consumers on best practices to prevent common cybersecurity issues, such as phishing and malware,” according to a company statement. “ADP’s financial crimes monitoring team and client support groups provide proactive notice to clients when fraud or attempted fraudulent access is detected, as occurred in these cases.”
W-2s have become a prime target for fraudsters, who can use the data on the forms to file fraudulent tax returns. The IRS itself was targeted last year, when hackers used the agency’s “Get Transcript” feature to access W-2 data on more than 724,000 taxpayers. And earlier this year, the IRS shut down an online PIN access feature after discovering weaknesses in that system.