Data Breach , Data Loss , Fraud

Tax Return Fraudsters Hit ADP Portal

U.S. Bank Confirms Fraudulent Tax Returns Filed in Employees' Names
Tax Return Fraudsters Hit ADP Portal

Some employees at organizations that use outsourced payroll provider ADP have been hit with tax return fraud. ADP blames customers for failing to secure the unique portal registration codes it issues to clients, saying they'd been obtained by fraudsters, enabling them to obtain individuals' personally identifiable information and use it to help commit identity theft.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

"ADP has learned of a small number of clients whose employees have been victimized by fraudulent registrations through a self-service registration portal," ADP spokesman Dick Wolfe tells Information Security Media Group. "Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously - unrelated to ADP - based on ADP's investigation to date."

W-2 forms, which list an employee's full name, annual salary information, Social Security number and mailing address, have been used by identity thieves to file fraudulent tax returns and illegally obtain tax refunds (see Georgia Couple Confesses to IRS 'Get Transcript' Fraud Scheme).

ADP says the fraud attempts were discovered by its in-house financial crimes monitoring team, and that it's assisting U.S. authorities with an investigation.

The news of "a weakness in ADP's customer portal," was first reported by security blogger Brian Krebs, who said related attacks helped compromise accounts at more than a dozen firms, including the nation's fifth-largest bank, U.S. Bancorp, a.k.a. U.S. Bank.

U.S. Bank: Tax Fraud Alert

U.S. Bank says no customers were affected. "This did not [involve] customers or customer information. It affected approximately 2 percent of our employees," spokesman Dana E. Ripley tells ISMG, adding that "the vulnerability has been resolved," although declining to offer any further details.

According to U.S. Bank's first-quarter earnings release for 2016, the company has about 67,000 employees, meaning that about 1,350 of those employees were the victims of tax fraud, or attempted tax fraud.

U.S. Bank declined to share a copy of the warning letter that it sent to affected employees, although a copy was obtained and published by Krebs. "Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP," according to the note, sent by U.S. Bank executive vice president of human resources Jennie Carlson. "During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name."

ADP says the information leak appears to be limited to that self-service registration portal. "ADP has no evidence that its systems housing employee information have been compromised. Additionally, the company is working with a federal law enforcement task force to identify the fraud perpetrators," Wolfe says.

ADP Disputes Portal Weakness

Commenting on the information leak, Wolfe says that "weakness in the portal is a mischaracterization," and instead blames customers for the information security lapse, saying they mishandled the unique registration code that gets issued to each ADP customer organization.

"The company registration code is combined with an individual employee's personal information - e.g., partial SSN, DOB [date of birth], employee number, etc. - to create a unique access code required for portal registration," Wolfe says. "In this case, these clients made the unique company registration code available to its employees via an unsecured public website. The combination of an unsecured company registration code and stolen personal information - via phishing, malware, etc. - enabled the fraudulent access to the portal, based on ADP's investigation to date."

Wolfe says that ADP warns customers to never publish unique registration codes to unsecured websites, "and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion." He adds that "ADP offers and advises its clients to use alternative industry-standard controls, including personal identification codes, which offer far greater protection during the self-service registration process." For customers that opt in, he says ADP offers this "enhanced model" of security free of charge, which includes "a unique registration code for each potential registrant tied to the client account." He says clients can also use employee ID numbers or their own single sign-on systems to add additional layers of security.

It's also not clear whether the ADP registration link at organizations that experienced tax return fraud was published by those organizations on publicly accessible pages, or perhaps mishandled or inadvertently posted by employees on open forums.

Fraudsters Aggregate Stolen Data

The news of the leak is a reminder that security controls based on an individual's name, address, Social Security number, first pet - and so on - should not be treated as being secure. Aided by ongoing data leaks and rampant password reuse, security experts say fraudsters are increasingly offering services based on the likes of aggregation and data completion services such as Experian, but with a cybercrime twist. These services aggregate stolen information about individuals - especially high-net-worth individuals - then resell it to fraudsters, for example, to enable them to commit identity theft or tax-return fraud (see E*Trade, Dow Jones: 7 Breach Lessons).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network