Fraudsters Steal Tax Data from ADP
- By Sydny Shepard
- May 04, 2016
ADP provides payroll, tax and benefits administration services to over 640,000 companies. The service allows the companies’ employees to access their payroll and tax data through a dedicated online portal that provides convenience to the users.
In order to do this, however, the employees need to create an online account by entering in personal information including their name, date of birth and Social Security number. When a new employee comes to the company, a custom, company-specific link is provided by ADP, and a static code is assigned to the customer by ADP.
Companies can chose to either create an account for each employee, or they can defer the process to a later date. Some of the companies that choose to defer the account set up, have unfortunately chose to publish their company-specific link and static code online, on a website for employees.
The attackers, armed with this information and the private information of the employees. Then created accounts on the ADP portal in the name of the employees who have yet to begin their account set up process.
This allowed the attackers to collect the employees’ W-2 information and make fraudulent tax refund requests to the US tax agency (IRS).
ADP says that the companies made the mistake of publishing data that should not have been made public and that they are now actively scouring the web for exposed links and codes assigned to other ADP customers.
About the Author
Sydny Shepard is the Executive Editor of Campus Security & Life Safety.