Some customers of payroll processing provider ADP had unauthorized accounts created on ADP's portal in their names by thieves using stolen data, and their W-2 data compromised, reports KrebsOnSecurity. This leaves them exposed to the risk of tax returns being filed fraudulently in their names.
The breach was discovered last month by ADP client US Bank, which said that "a small population" of its 64,000 employees had its tax and salary data stolen from the payroll vendor portal.
To register on ADP, clients provide employees the company-specific link from ADP, and a company code. KrebsOnSecurity says unregistered employee accounts have been used by thieves to sign in with personal details of the employee, and siphon W-2 information.
This process is flawed because the code is posted by ADP customers on an unsecured online page; ADP has now disabled access to the registration portal for those clients found to be publishing the sign-up link and code online.
Read full story at KrebsOnSecurity.