Application Security

HR Services Firm ComplyRight Suffers Major Data Breach

More than 7,500 customer companies were affected, and the number of individuals whose information was leaked is unknown.

ComplyRight, a company that provides human resources functions to businesses, has begun notifying individuals of a data breach that may have exposed names, addresses, phone numbers, email addresses, and Social Security numbers taken from employee tax forms the company processed.

According to ComplyRight, the company has more than 76,000 customers, though it has not yet said how many were involved in the breach.

KrebsOnSecurity, which broke news of the breach on Wednesday, writes that it appears to be a compromise of the website itself, rather than customer communications to and from the website. In its report, KrebsOnSecurity said it could find no ComplyRight employee with a security title on LinkedIn.

In a statement provided to Dark Reading, Jeannie Warner, security manager at WhiteHat Security said, "As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W2s. The fact that the company touts its security prowess, yet Brian Krebs couldn't identify a single employee with a security title, is deeply concerning - and just another reason for consumers to question their trust in digital businesses."

A Qualys SSL Labs scan of the site efile4biz.com conducted by Dark Reading shows an overall score of "B", capped because the server doesn't support forward secrecy or AEAD cipher suites. It must be noted, however, that this was a scan of the public-facing site (which does contain login provisions for customers); customers transacting business with the company may be re-directed to other servers upon authentication.

Nevertheless, the fact that the page still support outdated protocols such as TLS 1.0 for sign in indicates that there may be other legacy vulnerabilities still in place in the site application code.

In the Web page disclosing the breach, ComplyRight notes that the breach occurred in late May 2018, while the disclosure occurred on July 18. Ryan Wilk, vice president of customer success at NuData Security, a Mastercard company, said, "One of the many dangerous things about breaches is the amount of time it takes for companies and end users to know their data is out in the open. From the moment a breach happens, hackers have ample time to broker the stolen names, Social Security numbers, tax data and other identifying information on the dark web – leaving customers and employees open to the impacts of identity theft."

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.