Today, ADP explained how cyber-thieves were able to steal sensitive tax and salary information belonging to employees of companies that use ADP’s payroll service. Detailed income data of a dozen or so of ADP’s 630,000 corporate clients were stolen by cyber-criminals. ADP explained that its computers were not hacked; rather, the cyber-criminals were able to obtain online registration codes that employees use to access their payroll data with personal information about the employees captured from other sources. What is truly scary about this data capture is that it highlights the extent to which a black market exists for personally identifying information. ADP advises its corporate clients against publishing registration codes for its service to public-facing websites and notifies them of the potential risks. Now the cyber-criminals will have an easier time stealing next year’s tax refunds from these employees as they can verify income data and possibly circumvent the IRS’s anti-fraud controls that check reported income. The take-home lesson is never publish any links to confidential information where they can be accessed by those who have no reason to see them.
Posts Tagged ‘Identity fraud’
Risks of Publishing Registration Codes
Tuesday, May 3rd, 2016Lessons Learned the Hard Way
Tuesday, January 20th, 2009My earlier posting summarizing the lessons an attorney learned the hard way about identity fraud elicited strong response from readers, many of whom preferred to share their experiences by means other than direct posting. This attached image shows a scan of a letter one reader received from the Bank of New York Mellon, which is the custodial bank for his retirement savings account. As you can see, I have redacted the personal identifying information to make sure another misuse of private data does not occur. The letter advises that bank’s archive services vendor lost computer tapes containing personal client information when transporting them to an off-site storage facility. If you double-click on this image, you can read the letter for yourself. Obviously, this is a letter you prefer not to receive, but note that the bank acted proactively to offer free credit monitoring services to the clients who may have been affected, although they had no reason to believe that this information had been misused in any way. As the previous blog entry indicated, one unlucky attorney learned how important this service is. Should you find that any of your personal data may have been compromised, request that the vendor provide this service to you at his expense. And of course, should you ever experience a compromise of the security of your client data, offer to do the same for your clients.
In addition, Cliff Ennico, who is NOT the attorney whose advice I summarized in the earlier blog posting, offered some useful suggestions of his own for information you will need to have readily available in the event of an emergency. I have attached the link here.
Finally, I wanted to add a suggestion of my own. I had an issue with identity fraud when the previous tenant of an apartment I had purchased continuously updated her mail forwarding. By unhappy coincidence we shared the same last name, so that much of my mail was re-routed to her in another state. This mail included frequent flyer statements from the airlines on which I travel (which I now receive electronically rather than in paper form). As a “courtesy” to me, the airlines automatically updated the mail forwarding information with this woman’s address. I only learned of this matter when I called an airline to request frequent flyer awards and was told that they could only mail the tickets (back in the days of paper tickets) to the address on file for me, which was in Tennessee. When I protested that I lived in New York, not Tennessee, the whole issue of the improper mail forwarding came to light. The airline staff advised me to instruct them in writing not to automatically update my account address for mail forwarding unless I specifically request in writing that they do so. I did the same for some of the online and catalog merchants from which I often order products, as they also use mail update services as a “courtesy” to customers whose mail has been forwarded. It is a sad lesson, but vigilance pays.