06
May 16

Crooks Grab W-2s from Credit Bureau Equifax

Identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees on Thursday. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year.

Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.

“It appears that unknown individuals have accessed [Equifax’s] W2Express website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger wrote in a FAQ about the incident that was included with the letter sent to employees. “We have no indication that Kroger’s systems have been compromised.”

The FAQ continued:

“At this time, we have no indication that associates who had created a new password (did not use the default PIN) were affected, and we are still identifying which associates still using the default PIN may have been affected. We believe individuals gained access to some Kroger associates’ electronic W-2 forms and may have used the information to file tax returns in their names in an effort to claim a fraudulent refund.”

“Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals’ information was accessed.”

Kroger said it doesn’t yet know how many of its employees may have been affected.

The incident comes amid news first reported on this blog earlier this week that tax fraudsters similarly targeted employees of companies that used payroll giant ADP to give employees access to their W-2 data. ADP acknowledged that the incident affected employees at U.S. Bank and at least 11 other companies.

Equifax did not respond to requests for comment about how many other customer companies may have been affected by the same default (in)security. But Kroger spokesman Keith Dailey said other companies that relied on Equifax for W-2 data also relied on the last four of the SSN and 4-digit birth year as authenticators.

“As far as I know, it’s the standard Equifax setup,” Dailey said.

Last month, Stanford University alerted 600 current and former employees that their data was similarly accessed by ID thieves via Equifax’s W-2Express portal. Northwestern University also just alerted 150 employees that their salary and tax data was stolen via Equifax this year.

In a statement released to KrebsOnSecurity, Equifax spokeswoman Dianne Bernez confirmed that the company had been made aware of suspected fraudulent access to payroll information through its W-2Express service by Kroger.

“The information in question was accessed by unauthorized individuals who were able to gain access by using users’ personally identifiable information,” the statement reads. “We have no reason to believe the personally identifiable information was attained through Equifax systems. Unfortunately, as individuals’ personally identifiable information has become more publicly available, these types of online fraud incidents have escalated. As a result, it is critical for consumers and businesses to take steps to protect consumers’ personally identifiable information including the use of strong passwords and PIN codes. We are working closely with Kroger to assess and monitor the situation.”

ID thieves go after W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the IRS in someone else’s name. Kroger told employees they would know they were victims in this breach if they received a notice from the IRS about a fraudulent refund request filed in their name.

However, most victims first learn of the crime after having their returns rejected by the IRS because the scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Kroger said it would offer free credit monitoring services to employees affected by the breach. Kroger spokesman Dailey declined to say which company would be providing that monitoring, but he did confirm that it would not be Equifax.

Update, May 7, 9:44 a.m.: Added mention of the Northerwestern University incident involving Equifax’s W-2 portal.

38 comments

  1. TOMKINS EILEEN

    I read this column without fail because I know virtually nothing about online security, so I could easily be missing something here, but isn’t “default pin code” an oxymoron? Are “default pin codes” commonly used? How can I easily find out whether they are used by my online bank or store account? If I understand this event properly, it sounds like a crazy lack of security.

    • If you received a PIN from your employer for an HR web portal and you didn’t change it, then it’s still set to the default PIN.

    • At one time it was common to receive ATM & credit cards from banks that used a random number as the default PIN (sent in a separate piece of mail from the card itself), which you then changed as part of the initial setup process. It represents an additional point of authentication for the bank since it’s a value they chose and mailed out separately (and usually a week or two earlier/later than the card).

  2. Kroger will remain blameless as all the fault is with Equifax.

    This entire thing is nothing more than insanity. From one end to the other. No one is responsible for anything anymore.

    • But Equifax said it’s not their fault. It’s the fault of other companies who didn’t do enough to secure the last 4 of the ssn and birth year. The fact that they chose those as the only verification info apparently has nothing to do with the vulnerability.

      I hope you’re picking up on the sarcasm here.

  3. Kroger HR dictates the default setup, not Equifax, to save them phone calls, mailing, etc.

    Funny how Kroger is throwing Equifax under the bus.

    • Sue, customers have been doing that for years, beginning with the Fair Credit Reporting Act back in the early 70’s.

  4. It’s just laziness to use the last 4 digits of PIN as the PIN code. Is it to save money of postal mailing them the PIN (which some people do) or are they tired to doing a PIN reset when people forget a non-obvious one, so they assign one that anyone cannot forget?

    • It’s so companies don’t have to spend time customizing access details to employees, they can just send a “your default pin is your SSN+birth year” email. This is is ridiculously common.

  5. Northwestern University also used Equifax to provide W-2’s. All you need to access was full SSN and birth date. They just provided credit monitoring (by Equifax) to all employees. http://www.northwestern.edu/newscenter/stories/2016/05/free-credit-monitoring,-id-theft-proection-offered-to-employees.html

  6. Wow. I am speechless.
    That is no security at all. In what alternate world are these people live that they think a “default” anything is adequate for a login???
    Geez.

  7. My question, has Equifax every been through a full scale penetration test to assess its vulnerabilities? Do they have comprehensive security/risk management framework they work within…and maintain?

    I’m the Director of Ops/Information Security Officer for a small business government contracting firm. We operate under the Risk Management Framework for DoD IT (based in NIST and CNSS guidelines). If we can implement these measures, and the comprehensive monitoring, penetration testing, etc…I would sure as hell think Equifax and other major companies can.

    Don’t get me wring, NO system is without its vulnerabilities, both from internal threats and external actors. However, I would bet to say many companies are operating from a position of apathy…”its going to happen at some point so I’m not going to sweat the effort and cost…I will just give everyone credit monitoring”. By the way, credit monitoring services being offered by the very services being hacked is ludicrous.

    Equifax, do yourself a favor and hire yourself a few highly skilled CISSPs and provide the funding and executive support they need to do their job…short of that hire a firm like Mandiant.

    • You’re missing the forest for the trees. Equifax and the other bureaus entire business model is based around hiding information from you and selling it to anybody else for a buck. They cannot make it secure or accurate without driving the price sky high to the point nobody would pay for it. It will NEVER be anything but the leaky security bucket it is today.

  8. One thing that could help is if these sites would require 2 factor authentication…something you know and something you own. For example, a Yubikey (www.yubico.com), google authenticator, etc.

    • In order to sign up for 2 factor authentication, you first have to have logged into the site. So then, how do you log in to the site for the first time if it requires 2 factor authentication before you can ever log in?

      • Random activation PIN, mailed to user´s home address, included with pay slip, etc.?

        • No doubt. Don’t they have an employee number they could use instead of the ssn and/or birthyear?

          Enter the last four of your employee number and your department’s cost center code to log in the first time.

          It may not be completely confidential, but these days it would be harder to get than the ssn and birth year.

  9. Hrrmm.. When I started my new job, to get access to the HR system (ADP) for leave management and entitlements etc., I got given a sealed letter containing my login information and a random password I had to change when I signed in.

    When it comes up to tax time, we’re issued hard copy annual income/tax statements in similar sealed letters (the kind that have the random print so you can’t hold them up to the light, with the perforated edges etc).

    Surely as part of one’s induction process, unique credentials should be issued to the employee, and if they have problems, designated, authenticated individuals at each worksite (Eg. trusted managers) could have the privileges to assist employees with obtaining new credentials (face to face, ability to check photo ID in person etc. getting around static knowledge check on just a phone/web service).

  10. Robert.Walter

    The duplicity, disingenuousness and recklessness of both Equifax and their customers is breathtaking but not surprising.

    Both sides initially agreed to, and later serially failed to improve, the strength of the default setup despite ever accumulating information, that to anybody even casually observing security topics, (or reading Brian’s Most Excellent Blog these last years,) would be akin to a row of red flags.

    Why might this have been so? My guess is initially, it was a combination of over confidence and cost. Overconfidence because both parties were convinced that “since this had always been adequate, it would always be so” (or because “even if it wasn’t 100%, previous breaches didn’t predict a growing trend”). On the cost side, companies that don’t want to incur the cost of bulk creating, printing, and mailing PIN codes to affected individuals, that don’t want the continuing costs of having to maintain a slightly larger 800-helpline staff for resetting and sending out new PIN codes, or that want to avoid the costs associated with setting up a mobile based 2FA system (with this last one, truly companies living in the past) can find any number of self convincing arguments to avoid the expense of modern security upgrades (truly not avoidance but a kind of greedy, ignorant and foolhardy deferral of expenses, expenses that multiply when the costs of breach are later added in.). Later failures to upgrade are a combination of the previous reasons plus complacency and incompetence.

    Until there is legislation that establishes strong minimum standards (username, not email usernames, long complex passwords, and 2FA, proper hash and salt of such info at rest; a 5-star rating system for both portals and the systems behind them and a requirement that this be prominently displayed on the home and login webpages, etc.) for data security and online access of critical infrastructure, financial and HIPPA related data, and financial penalties for both companies and their individual managers for failure to comply and maintain, these kinds of things will continue to happen.

    As we have it here, Equifax and its customers like Kroger and Stanford are both blaming black hats and each other in their profusion of words. But they know that neither wanted to foot the bill for the more secure kinds of systems possible, and they both convinced themselves that the decision and covering the cost to do better were the other guys responsibility.

    I hope all so affected firms are nailed with a massive class action suit.

  11. This is joint responsibility. The vendors should be providing much more secure processes for registration and authentication. There is no excuse in today’s world why they would not. Companies that use these services need to insist on better security or refuse to do business with these companies.

    • “…or refuse to do business with these companies.”

      Like that’s going to happen. Here’s and idea: handle your payroll YOURSELF. But no, we can’t have that! That would make too much sense and might create ‘jobs’ locally. It’s not like anyone actually needs work anyway (half the population living off of government).

  12. Dual factor has been broken. So it takes a minute longer. And there are YouTube video about how it’s done. I believe that was 2013, the phone conference in Germany. It’s past tax time, and you had not gotten your tax info from the employer, yet? Something else is wrong there.it sounds as if the employee database is inaccurate. That is something no one usually does first.

  13. “Unfortunately, as individuals’ personally identifiable information has become more publicly available, these types of online fraud incidents have escalated. As a result, it is critical for consumers and businesses to take steps to protect consumers’ personally identifiable information including the use of strong passwords and PIN codes. ”

    Wrong, Bernez: It is YOUR responsibility not to issue PII as the default code for your clients to access your system and instead generate and issue a random code that is able to be found elsewhere associated to the person you issued it to. What buck passer!

    • Sorry that should be “…NOT able to be found elsewhere associated to the person you issued it to.”

  14. Betcha Equifax will offer credit monitoring…free for the first year.

    Sheesh, I was being sarcastic, but according to anonymous, that’s just what they (or at least Northwestern) did!

  15. It’s surprising how often these companies that deal with data breaches have data breaches themselves. Surely they know only too well how expensive these breaches are?

  16. I blame the IRS. Data from a W-2 would have little value if the IRS was not so easily hacked with fake tax return refunds. The thieves already have date-of-birth, SSN. and probably already have home address. There is not anything else on a W-2 that has value outside of filing tax returns.

    Follow the money. It’s up to the IRS to turn off the money faucet.

  17. If there’s been that many breaches because of this default… MAYBE JUST MAYBE Equifax shouldn’t have this be the default anymore.

  18. The IRS doesn’t control the money faucet. That power belongs to the Congressional majorities who are currently “punishing” the IRS because one of its officials took it upon herself to determine if organizations claiming tax exemptions for their donors actually met the legal requirements for such organizations.

    Meanwhile, a number of “technical” solutions to fraud against the American taxpayers via the IRS are not “politically” acceptable.

    The simple fix of delaying payment of ANY refunds until ALL returns are received would raise a firestorm in Congress, which has pushed the IRS for prompt refund payment (current goal is about 7 – 10 business days). And it would also be a major inconvenience for the many taxpayers who use the IRS as a savings institution or who depend on the Earned Income Tax Credit (EITC) as a part of their income.

    The IRS also faces the problem of establishing taxpayer identity without any kind of initial contact. Biometrics are obviously out and don’t even suggest a National Identity Card (why do you think the Social Security Administration goes to such lengths to deny that the Social Security Number is NOT a form of identification).

    The IRS is adopting numerous strategies to combat fraudulent tax returns using such mechanisms as are available and affordable, but they are hampered by Congressional majorities who pay lip service to “running the government like a business”, but give no indication that they know how to run either a government or a business, continuing to under-fund the one agency that actually funds the federal government. It’s as though they believe that a good business person would short change their Accounts Receivable staff because AR is bringing in too much money.

    • It’d be a really funny business that allows people who have purchased goods from the business to give money to the people managing the business in order to forgo making payments to the business. Seems like that kind of business would either go bankrupt or get shut down by prosecutors/regulators in short order.

    • Well said and you are exactly right. I appreciate your insight into and clear articulation of the schizophrenic IRS vs. Congress conflict. It will not improve.

  19. A previous hack allowed this hack… The last 4 of an SSN used for verification is worthless if ID theft has occurred. Most sensitive documents only mask up to the last 4 digits.

  20. Krebs,

    This is at least the third time I have read Experian’s name attached to a compromise. Why hasn’t DOJ or concerned citizens taken legal action against them?

    I would seem to me that Experian couldn’t secure a brown paper sack….

  21. Indian IRS phone scammers are in full effect today. I have received 3 calls from them asking me to call 202-676-6115 to pay for my lawsuit. When I spoke with them ironically they asked me how much money I had with me. I said $5,500 cash and they said that happened to be the exact amount I owed. They asked me to go to the CVS to get a money pak equivalent to pay. After harassing them for quite awhile they got mad and said my case had been closed. A social media search yielded a good amount of complaints today that they were calling. Anyone else get one today?

  22. Hello: I’m with Convenience Store Petroleum magazine and Daily News and would like to write a quick synopsis of your piece based on your article and crediting you as a source. What if any guidelines should I follow? Let me know. Thanks!

  23. Banks that offer on-line banking require strong authentication before activating a PIN, including answering correctly several personal questions including DOB, address, phone number, card number, three-digit security code, expiry date, mother’s maiden name, current balances. Also, in Canada, replacement debit or credit cards must be activated by calling a toll-free number, before they will function.

    Why don’t the Credit Bureaus follow the Best Practices as one can see with banks and on-line banking?