Security issue could impact ADP customers

According to news reports, cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees.  ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal.

ADP provides payroll, tax and benefits administration for over 640,000 companies.  In connection with providing payroll, tax and benefits administration, ADP stores tax and salary information, such as W-2s, for each of its customer’s employees.  For some ADP customers, employees can view this information themselves by registering with ADP’s self-service portal. 

ADP relies on static data – name, Social Security Number, date of birth, and a unique company identification code – to authenticate new portal registrants.  Unfortunately, due to the multitude of breaches that have occurred over time, such personal information is widely available for purchase by malicious actors on the dark web and the black market.  Additionally, many companies post unique ADP identification codes publicly for the convenience of their employees. 

Once hackers gain access to the data elements required for registration, they are able to create fraudulent ADP accounts within ADP’s self-service portal for customer employees that had not previously registered for the portal.  Hackers can then view W-2 information within those accounts and use them to file fraudulent tax returns on behalf of employees.   

In addition, if the ADP portal is enabled to store the wire transfer/bank account information of a company’s employees, a criminal with access to an employee’s account can change the wire instructions and have the employee’s pay sent to a fraudulent bank account.

ACTION STEPS:  We recommend that ADP customers consider taking certain steps to protect their employees’ information against tax fraud:

• If an organization had previously posted its unique ADP registration code publicly, the company should consider investigating whether any unusual or fraudulent activity took place with respect to ADP’s self-service portal.  Clues may include recent registrations of employees that had not previously registered, the registration of non-company email addresses in the portal, the modification of wire transfer particulars, and complaints by employees that tax returns had been filed in their name without approval, or that they had not received a payment during a payroll period.
• If the unique registration code is publicly available, or was publicly available at any point, remove the code so it is no longer publicly available and request that ADP change the company’s registration code. 
• Going forward, companies may consider taking advantage of additional authentication measures that ADP may make available, including assigning employees personal identification codes for registration. 
• As a precautionary measure, we also recommend that ADP customers review existing services agreements with ADP to understand the respective contractual obligations of each party in the event that a security incident does occur.

Norton Rose Fulbright is currently helping multiple companies investigate and respond to these types of incidents.  For more information, please contact David Navetta or Boris Segalis.