An Equifax subsidiary that provides online payroll, HR and tax services alerted customers that fraudsters obtained unauthorized access to customers’ employee tax records between April 17, 2016 and March 29, 2017. Apparently, the thieves managed to reset the 4-digit PINs given out as passwords by answering personal questions about the employees and then steal W-2 tax data of TALX customers.
This letter from Equifax’s attorney’s, sent to the New Hampshire Attorney General on May 15, 2017, outlines the data security incident that exposed the personal info, including W2s, of Erickson Living employees. So far Equifax has yet to say how many consumers or payroll service customers were impacted, though according to this Krebs On Security story, “at least five organizations have received letters from Equifax about a series of incidents over the past year, including defense contractor giant Northrop Grumman; staffing firm Allegis Group; Saint-Gobain Corp.; Erickson Living; and the University of Louisville.”
Back to the aforementioned letter to the Attorney General, in it, the company admits it’s not certain how much unauthorized access took place. That’s “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” writes Nicholas A. Oldham, an attorney who represents TALX.
What the Krebs story goes on to highlight and what any security expert will likely tell you is Equifax should have known better than to rely on using a PIN for a password, which is an outlandishly outdated method to protect what is obviously very sensitive data. Two-factor authentication should be the industry standard.
“Then there is the small matter of the questions that ID thieves were able to successfully answer about their victims via TALX’s online portal,” Krebs writes. “Security experts have been warning for years about the waning effectiveness of using so-called ‘knowledge-based authentication questions’ (KBA) — such as details about the consumer’s historic location and financial activity — for online authentication.”
We recently wrote about how security questions and answers can put your identity at risk. Along with usernames and passwords, security questions and answers are often leaked in data breaches, or the answers are likely readily available online through sites like Spokeo and Family Tree Now (read this blog post for how to remove your information) or through social media avenues. Learn what security experts recommend in light of this information by reading our blog post.
Those folks affected by this breach should consider placing a credit freeze on their accounts, though there are limitations to this, namely a freeze won’t prevent criminals from filing phony tax returns in your name to steal the refund, which is what these folks are likely most at risk of at this point.
Are you covered for identity theft?