[BreachExchange] How to Protect Employee Tax & Salary Data from Hackers

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 11 19:18:47 EDT 2016


http://mspmentor.net/guest-bloggers/how-protect-employee-
tax-salary-data-hackers

A dramatic rise in CEO spear phishing scams resulted in numerous
organizations, from the NBA’s Milwaukee Bucks to Main Line Health, a
Philadelphia area healthcare provider that inadvertently released employee
W-2 information to hackers.

At the same time, another threat emerged, this time targeting credit
reporting company Equifax and payroll provider ADP, both of which offer
services that allow employees of subscriber companies to access their W-2
forms online. As a result, approximately 431,000 employees at the Kroger
grocery company, 600 current and former employees of Stanford University,
150 employees at Northwestern University, and an unknown number of
employees at U.S. Bank and 11 other ADP customer companies had their W-2
data compromised.

It is believed that the thieves intended to use the data to file fraudulent
tax returns requesting large refunds from the IRS. Employees can be victims
of this scam even if they are not owed tax refunds, and often, they have no
idea they have been victimized until they attempt to file legitimate
returns, and the IRS rejects them as duplicative.

What went wrong?

Unlike the Milwaukee Bucks and Main Line Health breaches, where hackers
tricked employees into emailing them W-2 data directly, the Equifax and ADP
breaches involved hackers using default login credentials to access the
companies’ online W-2 portals.

In Equifax’s case, when a company subscribes to its online W-2 system, each
employee is assigned default PIN so that they can log in to the portal and
access their W-2. While employees can (and should) change their default
PINs, most don’t. This default PIN consisted of the last four digits of the
employee’s Social Security Number combined with their year of birth.

ADP’s system was more robust, requiring several pieces of the employee’s
data (including their name, Social Security number, and date of birth),
along with a custom, company-specific link and static code.

The problem was that ADP gave its customer companies a choice: They could
create an account for each employee when they first sign up for the service
or have the employees do it themselves later. The problem occurred when
some customers, including U.S. Bank, not only deferred employee account
registration but also – not realizing this information was supposed to be
kept confidential – posted the company portal link and code on a public
website.

This gave hackers the chance to create accounts before employees got around
to doing it.

Static Credentials are Weak Authenticators

Both ADP and Equifax offer employers the opportunity to generate random PIN
codes instead of using employees’ personal information, but the companies
affected by the breaches elected not to do so.

Using such “static credentials” saves the employer the time and cost of
generating and disseminating random PIN codes, and resetting PINs for
employees who lose them. However, thanks to the transparency of the
internet, “static credentials” such as birth years and Social Security
numbers are now easily and cheaply available on the dark net.

Randomly generated system credentials, such as a PIN, can assist in helping
to protect sensitive employee data.   The only way to fully ensure
corporate and staff security is to monitor all systems storing PII, and
routinely run penetration tests against them.

Organizations that are using sites that provide W-2s or other sensitive
information online should to take the following proactive steps to protect
their employees from tax fraud:

- If, like ADP, a service provider offers the option to set up employee
accounts immediately or defer doing so, always choose the former option.
- Generate random PINs/passwords that have strong security and that are not
based on employees’ personal information.
- Deliver login credentials to employees via postal mail or put them in
sealed envelopes and hand them out in-person, at the workplace. Never send
them through email.
- Never post online portal links on public websites.
- Configure the online portal so that as soon as the employee logs in for
the first time, the system requires that they change their PIN/password,
and that the new PIN/password has strong security.
- Have security personnel on-site who can help employees with lost PINs and
other login problems.

Like spear phishing, hackers’ use of stolen static credentials to
compromise online W-2 sites is a human vulnerability problem that requires
not only technological defenses such as secure passwords but also human
defenses such as cyber security awareness training. If an organization’s
internal security resources are not sufficient to handle enhanced security
procedures, it should enlist the help of a managed security services
provider (MSSP). An MSSP can provide on-site cyber security experts, either
in addition to an existing security team or on their own.

If an organization’s payroll data is not secure, it is not a question of if
but when hackers will breach it.  Not surprisingly, this year’s payroll
data breaches have resulted in calls for legislation to protect employees
from tax data fraud and to hold employers and online W-2 services who
suffer breaches accountable. It is only a matter of time before the
government takes action, and one needs only look at the healthcare
industry, which faces stringent regulations and stiff penalties under HIPAA
if patient data is breached, to imagine what such legislation might look
like. Rather than waiting for this to happen – or, worse yet, waiting for a
breach to occur – employers need to get ahead of this issue and take
proactive steps to protect their employees’ tax data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160811/fd3fe460/attachment.html>


More information about the BreachExchange mailing list