It turns out that HR giant ADP, which provides payroll, tax and benefits administration for more than 640,000 companies, was vulnerable to an ID theft scam. The criminal hackers made off with tax and salary data, according to a report from Brian Krebs—although the actual number of employees affected has yet to be revealed. HR in any organization should be prepared to take action if employees are affected.
Your organization may be one of the hundreds of thousands that rely on ADP. In this blog I have warned for years that cybercrime has gone pro, and that the sophistication of their attacks is only going up. The last few months they have targeted HR and Accounting, trying to social engineer employees in those departments to respecitvely get W-2 information and large wire transfers done.
Cybercrime is now using a process called “Flowjacking”, and are able to determine the work and data flow of ADP’s internal processes. They found out that setting up a user account with the company was a two-step process. The first step involves setting up the account, which requires social security numbers and other personal data that is easily available in the underground internet economy.
The second step is activating the account, and ADP sends activation codes to the companies that set up accounts with them. Unfortunately, some companies are not careful with their activation codes, and wind up placing them on their website for employees to use, where these codes can easily be scraped by alert hackers.
Armed with a stolen social security number and a code grabbed from a website, the bad guys can inject themselves into ADP’s normal process, and make off with thousands, and maybe even millions of people’s personal information which can easily be marketed in the criminal internet economy.
ADP has thus far not released information on how many records were put at risk by this hack against them, and security experts stress that ADP itself was not hacked. Rather, the workflow itself was breached, and the hackers took advantage of the fact that some organizations weren’t as careful as they should have been with their activation codes.
If your organization uses ADP, someone in HR should contact your ADP rep and check if any of your employee records were affected. It could be none, it could be a very small percentage, but I suggest HR takes proactive measures.
The hackers made off with W-2 data, so tax refunds and returns could be impacted, but these stolen identities are being bought and used by other cyber mafias for increasingly targeted phishing attacks.
You can expect highly personalized (spear-) phishing attacks using the stolen ADP data, but sent to hundreds of thousands or millions of people. Employees should be inoculated against attacks like this with simulated phishing emails that trains them to spot any red flags in messages. KnowBe4 has hundreds of ready-to-send phishing templates that are known to work.
Not a customer yet? Request a one-on-one demo
Join the 4,000+ organizations that use KnowBe4 and make your employees your first line of defense.
Get a one-on-one live demo of the Kevin Mitnick Security Awareness Training and Simulated Phishing Platform, ask questions, and see how easy it is to train and phish your users:
Do not like to click on redirected buttons? Cut/Paste this link in your browser:
https://info.knowbe4.com/kmsat-request-a-demo
More detail, background and analysis at Brian Krebs' site.
Warm regards, and let's stay safe out there.
Stu Sjouwerman, Founder and CEO
KnowBe4, Inc
