Hackers managed to break through ADP’s firewalls and steel sensitive tax and salary information for employees at a dozen companies.
ADP explained that fraudsters managed to siphon W-2 tax forms using a convenient online feature.
The company won’t say when the cyber attack occurred or how many people had their income data exposed.
The fir did say the incident affected “around a dozen” of the company’s 630,000 corporate clients.
One affected client is US Ban, where 1,400 people were affected. That’s about 2% of the company, according to the bank.
ADP explained how the hack occurred. Many companies provide pay information to their employees online. This makes it easier to download past W-2 forms whenever they’re needed for doing taxes or applying for a loan.
ADP offers that feature by way of their public-facing website. To register, an employee has to use a “unique company registration code” and some personal information, including their Social Security number and birthday.
Hackers got a hold of some company registration codes and paired that data with stolen employee information.
“The combination of an unsecured company registration code and stolen personal information enabled the fraudulent access to the portal,” ADP explained.
ADP said there’s “no evidence” its own computers have been hacked. The company also appears to be blaming their clients for not properly guarding keys to its document-sharing feature.
The company only acknowledged the breach after it was reported by cybersecurity report Brian Krebs.
ADP is working with a federal law enforcement task force” to investigate what happened and to avoid any future issues with its public facing systems.