ADP recently reported that a number of its clients have potentially had some of their employees’ information compromised by a fraudulent ADP self-service portal, though thus far only U.S. Bancorp is known to be involved. According to Krebs on Security, many more could have fallen victim as well. Bancorp spokeswoman Dana Ripley released in a statement to SC Magazine that though the issue probably reached as many as two percent of the company’s workforce, it was no longer a concern and had been resolved.
ADP believes the situation began when some of its clients posted their unique ADP corporate registration code to an unsecure website, and the criminal then used that information to “locate an unregistered account and then use the personal identifiable information gleaned from the web in conjunction with the corporate ID number to properly register the individual” which then allowed that person to view the victims’ W-2 information.
However, Adam Levin, chairman and founder of IDT911, believes that both sides were at fault and claims that “ADP confirmed a weakness in their customer portal — exacerbated by careless security hygiene on the part of their customer companies — that hackers exploited to access the W-2 data of a number of employees at more than a dozen client firms. As ADP works with more than 640,000 companies, this may only be the tip of the iceberg.”