Identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees on Thursday. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year.
Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
“It appears that unknown individuals have accessed [Equifax’s] W2Express website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger wrote in a FAQ about the incident that was included with the letter sent to employees. “We have no indication that Kroger’s systems have been compromised.”
The FAQ continued:
“At this time, we have no indication that associates who had created a new password (did not use the default PIN) were affected, and we are still identifying which associates still using the default PIN may have been affected. We believe individuals gained access to some Kroger associates’ electronic W-2 forms and may have used the information to file tax returns in their names in an effort to claim a fraudulent refund.”
“Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals’ information was accessed.”
Kroger said it doesn’t yet know how many of its employees may have been affected.
The incident comes amid news first reported on this blog earlier this week that tax fraudsters similarly targeted employees of companies that used payroll giant ADP to give employees access to their W-2 data. ADP acknowledged that the incident affected employees at U.S. Bank and at least 11 other companies.
Equifax did not respond to requests for comment about how many other customer companies may have been affected by the same default (in)security. But Kroger spokesman Keith Dailey said other companies that relied on Equifax for W-2 data also relied on the last four of the SSN and 4-digit birth year as authenticators.
“As far as I know, it’s the standard Equifax setup,” Dailey said.
Last month, Stanford University alerted 600 current and former employees that their data was similarly accessed by ID thieves via Equifax’s W-2Express portal. Northwestern University also just alerted 150 employees that their salary and tax data was stolen via Equifax this year.
In a statement released to KrebsOnSecurity, Equifax spokeswoman Dianne Bernez confirmed that the company had been made aware of suspected fraudulent access to payroll information through its W-2Express service by Kroger.
“The information in question was accessed by unauthorized individuals who were able to gain access by using users’ personally identifiable information,” the statement reads. “We have no reason to believe the personally identifiable information was attained through Equifax systems. Unfortunately, as individuals’ personally identifiable information has become more publicly available, these types of online fraud incidents have escalated. As a result, it is critical for consumers and businesses to take steps to protect consumers’ personally identifiable information including the use of strong passwords and PIN codes. We are working closely with Kroger to assess and monitor the situation.”
ID thieves go after W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the IRS in someone else’s name. Kroger told employees they would know they were victims in this breach if they received a notice from the IRS about a fraudulent refund request filed in their name.
However, most victims first learn of the crime after having their returns rejected by the IRS because the scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
Kroger said it would offer free credit monitoring services to employees affected by the breach. Kroger spokesman Dailey declined to say which company would be providing that monitoring, but he did confirm that it would not be Equifax.
Update, May 7, 9:44 a.m.: Added mention of the Northerwestern University incident involving Equifax’s W-2 portal.