Application Security

7/20/2018
01:10 PM
50%
50%

HR Services Firm ComplyRight Suffers Major Data Breach

More than 7,500 customer companies were affected, and the number of individuals whose information was leaked is unknown.

ComplyRight, a company that provides human resources functions to businesses, has begun notifying individuals of a data breach that may have exposed names, addresses, phone numbers, email addresses, and Social Security numbers taken from employee tax forms the company processed.

According to ComplyRight, the company has more than 76,000 customers, though it has not yet said how many were involved in the breach.

KrebsOnSecurity, which broke news of the breach on Wednesday, writes that it appears to be a compromise of the website itself, rather than customer communications to and from the website. In its report, KrebsOnSecurity said it could find no ComplyRight employee with a security title on LinkedIn.

In a statement provided to Dark Reading, Jeannie Warner, security manager at WhiteHat Security said, "As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W2s. The fact that the company touts its security prowess, yet Brian Krebs couldn't identify a single employee with a security title, is deeply concerning - and just another reason for consumers to question their trust in digital businesses."

A Qualys SSL Labs scan of the site efile4biz.com conducted by Dark Reading shows an overall score of "B", capped because the server doesn't support forward secrecy or AEAD cipher suites. It must be noted, however, that this was a scan of the public-facing site (which does contain login provisions for customers); customers transacting business with the company may be re-directed to other servers upon authentication.

Nevertheless, the fact that the page still support outdated protocols such as TLS 1.0 for sign in indicates that there may be other legacy vulnerabilities still in place in the site application code.

In the Web page disclosing the breach, ComplyRight notes that the breach occurred in late May 2018, while the disclosure occurred on July 18. Ryan Wilk, vice president of customer success at NuData Security, a Mastercard company, said, "One of the many dangerous things about breaches is the amount of time it takes for companies and end users to know their data is out in the open. From the moment a breach happens, hackers have ample time to broker the stolen names, Social Security numbers, tax data and other identifying information on the dark web – leaving customers and employees open to the impacts of identity theft."

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
8 Security Tips to Gift Your Loved Ones For the Holidays
Steve Zurier, Freelance Writer,  12/18/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16883
PUBLISHED: 2018-12-19
sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
CVE-2018-17192
PUBLISHED: 2018-12-19
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on th...
CVE-2018-17193
PUBLISHED: 2018-12-19
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior ...
CVE-2018-17194
PUBLISHED: 2018-12-19
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and even...
CVE-2018-17195
PUBLISHED: 2018-12-19
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, a...