Online hitch allows thieves to register fraudulently on payroll vendor portal.

Dark Reading Staff, Dark Reading

May 5, 2016

1 Min Read

Some customers of payroll processing provider ADP had unauthorized accounts created on ADP's portal in their names by thieves using stolen data, and their W-2 data compromised, reports KrebsOnSecurity. This leaves them exposed to the risk of tax returns being filed fraudulently in their names.

The breach was discovered last month by ADP client US Bank, which said that "a small population" of its 64,000 employees had its tax and salary data stolen from the payroll vendor portal.

To register on ADP, clients provide employees the company-specific link from ADP, and a company code. KrebsOnSecurity says unregistered employee accounts have been used by thieves to sign in with personal details of the employee, and siphon W-2 information.

This process is flawed because the code is posted by ADP customers on an unsecured online page; ADP has now disabled access to the registration portal for those clients found to be publishing the sign-up link and code online.  

Read full story at KrebsOnSecurity.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights