A dramatic rise in CEO spear phishing scams resulted in numerous organizations, from the NBA’s Milwaukee Bucks to Main Line Health, a Philadelphia area healthcare provider that inadvertently released employee W-2 information to hackers.
At the same time, another threat emerged, this time targeting credit reporting company Equifax and payroll provider ADP, both of which offer services that allow employees of subscriber companies to access their W-2 forms online. As a result, approximately 431,000 employees at the Kroger grocery company, 600 current and former employees of Stanford University, 150 employees at Northwestern University, and an unknown number of employees at U.S. Bank and 11 other ADP customer companies had their W-2 data compromised.
It is believed that the thieves intended to use the data to file fraudulent tax returns requesting large refunds from the IRS. Employees can be victims of this scam even if they are not owed tax refunds, and often, they have no idea they have been victimized until they attempt to file legitimate returns, and the IRS rejects them as duplicative.
What went wrong?
Unlike the Milwaukee Bucks and Main Line Health breaches, where hackers tricked employees into emailing them W-2 data directly, the Equifax and ADP breaches involved hackers using default login credentials to access the companies’ online W-2 portals.
In Equifax’s case, when a company subscribes to its online W-2 system, each employee is assigned default PIN so that they can log in to the portal and access their W-2. While employees can (and should) change their default PINs, most don’t. This default PIN consisted of the last four digits of the employee’s Social Security Number combined with their year of birth.
ADP’s system was more robust, requiring several pieces of the employee’s data (including their name, Social Security number, and date of birth), along with a custom, company-specific link and static code.
The problem was that ADP gave its customer companies a choice: They could create an account for each employee when they first sign up for the service or have the employees do it themselves later. The problem occurred when some customers, including U.S. Bank, not only deferred employee account registration but also – not realizing this information was supposed to be kept confidential – posted the company portal link and code on a public website.
This gave hackers the chance to create accounts before employees got around to doing it.
Static Credentials are Weak Authenticators
Both ADP and Equifax offer employers the opportunity to generate random PIN codes instead of using employees’ personal information, but the companies affected by the breaches elected not to do so.
Using such “static credentials” saves the employer the time and cost of generating and disseminating random PIN codes, and resetting PINs for employees who lose them. However, thanks to the transparency of the internet, “static credentials” such as birth years and Social Security numbers are now easily and cheaply available on the dark net.
Randomly generated system credentials, such as a PIN, can assist in helping to protect sensitive employee data. The only way to fully ensure corporate and staff security is to monitor all systems storing PII, and routinely run penetration tests against them.
Organizations that are using sites that provide W-2s or other sensitive information online should to take the following proactive steps to protect their employees from tax fraud:
- If, like ADP, a service provider offers the option to set up employee accounts immediately or defer doing so, always choose the former option.
- Generate random PINs/passwords that have strong security and that are not based on employees’ personal information.
- Deliver login credentials to employees via postal mail or put them in sealed envelopes and hand them out in-person, at the workplace. Never send them through email.
- Never post online portal links on public websites.
- Configure the online portal so that as soon as the employee logs in for the first time, the system requires that they change their PIN/password, and that the new PIN/password has strong security.
- Have security personnel on-site who can help employees with lost PINs and other login problems.
Like spear phishing, hackers’ use of stolen static credentials to compromise online W-2 sites is a human vulnerability problem that requires not only technological defenses such as secure passwords but also human defenses such as cyber security awareness training. If an organization’s internal security resources are not sufficient to handle enhanced security procedures, it should enlist the help of a managed security services provider (MSSP). An MSSP can provide on-site cyber security experts, either in addition to an existing security team or on their own.
If an organization’s payroll data is not secure, it is not a question of if but when hackers will breach it. Not surprisingly, this year’s payroll data breaches have resulted in calls for legislation to protect employees from tax data fraud and to hold employers and online W-2 services who suffer breaches accountable. It is only a matter of time before the government takes action, and one needs only look at the healthcare industry, which faces stringent regulations and stiff penalties under HIPAA if patient data is breached, to imagine what such legislation might look like. Rather than waiting for this to happen – or, worse yet, waiting for a breach to occur – employers need to get ahead of this issue and take proactive steps to protect their employees’ tax data.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.