Today, ADP explained how cyber-thieves were able to steal sensitive tax and salary information belonging to employees of companies that use ADP’s payroll service. Detailed income data of a dozen or so of ADP’s 630,000 corporate clients were stolen by cyber-criminals. ADP explained that its computers were not hacked; rather, the cyber-criminals were able to obtain online registration codes that employees use to access their payroll data with personal information about the employees captured from other sources. What is truly scary about this data capture is that it highlights the extent to which a black market exists for personally identifying information. ADP advises its corporate clients against publishing registration codes for its service to public-facing websites and notifies them of the potential risks. Now the cyber-criminals will have an easier time stealing next year’s tax refunds from these employees as they can verify income data and possibly circumvent the IRS’s anti-fraud controls that check reported income. The take-home lesson is never publish any links to confidential information where they can be accessed by those who have no reason to see them.