Dox pays lots.
An unknown number of staff at US corporations are at high risk of having their tax returns plundered after criminals siphoned their publicly-disclosed personal details and a unique company URL to obtain their records from payroll provider ADP.
The breach disclosed by Krebsonsecurity does not appear to be a direct breach of ADP systems or networks and rather a failure to protect personal information and sensitive data, along with authentication shortfalls.
Criminals used the private information to register ADP accounts which then provided the additional W-2 (an annual salary summary) payroll information needed to potentially fleece their tax returns.
US Bank sent a letter obtained by Krebsonsecurity warning staff that it had been investigating an ADP breach since 19 April and that a W-2 portal may have been used to file fraudulent income tax returns.
It pinned the breach on attackers who used employees’ personal information to register new ADP accounts and access W-2 forms.
The source of the personal information is not disclosed but it could have been accessed using open source intelligence, any number of personal information caches sold on criminal forums, or through a breach of a third party service.
ADP says it did not come from its services.
An unique company-issued URL required to register ADP account was published by US Bank to an online “employee resource” which was accessed by criminals as part of the attacks.
It was not disclosed if the link was publicly-accessible without credentials or whether employees posted that URL elsewhere, but US Bank has said it did not regard the link as sensitive and would no longer publish it online.
A publicly-accessible US Bank W-2 form page which exists in internet caches has been taken down.
Both the bank and ADP say a small number of customers and staff were affected.
Fraudsters would have needed credentials including name, date of birth, and Social Security numbers to gain access to W-2 forms. ®
Rise of the machines