October 8, 2017

In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

twn

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the first letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).

findemployercode

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Once you’re successfully “authenticated,” the system asks you to change your PIN to something more secret than your birthday. When the default PIN is changed, The Work Number prompts users to select a series of six challenge/response questions, which Equifax claims will “improve the security of your data and create an extra layer of protection on your account.”

Unfortunately, consumers whose employee history is stored by this service effectively have no privacy or security unless they possess both the awareness that this service exists and the forethought to access their account online before identity thieves or others do it first.

newpin

The Work Number does allow employers to opt for TALX’s “enhanced authentication” feature, wherein after logging in with your employer ID and PIN (often the last four digits of an SSN plus the birth year), the system is designed to require the requester to respond to an email at a work address or a phone call to a work number to validate the login.

However, I did not find this to be the case in several instances involving readers whose employers supposedly used this enhanced authentication method. In cases where corporate human resources departments fail to populate employee email addresses and phone numbers, the system defaults to asking visitors to enter any email address and phone number to complete the validation. This is detailed here (PDF), wherein The Work Number states “if you do not have the required phone and e-mail information on file, you will be prompted to update/add your phone numbers/email addresses.”

squestionsa

Worse yet, while companies that use this service tend to vary their approaches to what’s required in terms of user IDs and PINs, a great many employers publish online detailed instructions on how to fill out these various forms. For example, the State of California‘s process is listed here (PDF); instructions for the Health Resources & Services Administration (HRSA) are here; employees at the National Institutes of Health (NIH) can learn the steps by consulting this document (PDF). The process for getting this information on current and former UCLA employees is spelled out here. There are countless other examples that are easy to find with a simple Internet search.

Many readers probably consider their current and former salaries to be very private information, but as we can see this data is easily available on a broad spectrum of the working population in America today. The information needed to obtain it has been widely compromised in thousands of data breaches over the past few years, and the SSN and DOB on most Americans is for sale in a variety of places online. In short, if you can get these details from Equifax’s online service, so can anyone else.

Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can do this by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.

I could see this service potentially helping to create a toxic workplace environment because it offers a relatively simple method for employees to glean data about the salaries of their co-workers and bosses. While some people believe that companies should be more transparent about employee salaries, this data in the wrong hands very often generates a great deal of resentment and hostility among co-workers.

Employers who use The Work Number should strongly consider changing as many defaults as possible, and truly implementing the service’s enhanced authentication features.

October is National Cybersecurity Awareness Month, and as such KrebsOnSecurity will continue pointing readers to similar services that let anyone access your personal data armed with little more than static identifiers about you that should no longer be considered private. Although some readers may take issue with my pointing these out — reasoning that I’m only making it easier for bad people to do bad things — it’s important to understand that knowledge is half the battle: Planting your flag before someone else does is usually the only way to keep others from abusing such services to expose your personal information.

Update, Oct. 9, 10:00 a.m. ET: The Work Number site is currently down for maintenance. A notice on the site says the company took the portal down a few hours after my story was published yesterday, without the usual advance warning the company offers for scheduled maintenance. The notice reads:

“Equifax Workforce Solutions is currently performing maintenance activities that will affect the following applications:

The Work Number EDR”

“We apologize for any inconvenience this may cause, but it is necessary to ensure
that Equifax Workforce Solutions continues to provide you the industry-leading services you
have come to expect.”

Also, several readers pointed out that when they tried the service Sunday evening before Equifax took it down they were asked to answer knowledge-based authentication questions before being able to authenticate to the portal to view their salary history. While this is a welcome additional step, regular readers here know how easy it is for ID thieves to bypass these multiple-guess questions (as the answers usually are available using sites like Zillow and Spokeo, to say nothing of social networking profiles).

Related reading:

USPS ‘Informed Delivery’ is Stalker’s Dream
Student Aid Tool Held Key for Tax Fraudsters
Sign Up at IRS.gov Before Crooks Do It For You
Crooks Hijack Retirement Funds via SSA Portal
Social Security Administration Now Requires Two-Factor Authentication
SSA: Ixnay on txt msg reqmnt 4 e-acct, sry


84 thoughts on “Equifax Breach Fallout: Your Salary History

  1. vb

    Another thing this tool would show is who *doesn’t* work for the company. Years ago I worked with a telephone company employee on a criminal matter. It turned out the guy wasn’t a telephone company employee, but an FBI agent who was working within the telephone company (with the phone companies permission).

    That’s why the Snowden information was surprising to me – I thought that the FBI had inside people at all the telephone companies. I guess at some point the FBI just remoted the network access.

    But in the post-Snowden world, I would not be surprised if the FBI returned to embedding people in telecomm companies for conducting investigations. And Facebook, Google, etc.

  2. Craig

    For those who haven’t accessed the site. There is quite a bit of information there that you someone can get on you for such a minimal of level of effort.

    – Full Social Security Number
    – Job Start Date
    – Employment Status
    – Job Title
    – Yearly Salary (Gross & Net)
    – Hours Worked (if hourly)
    – Individual Pay Checks (Gross & Net)
    – Bonuses (Gross & Net)
    – Recent Credit Inquires on your Credit
    – Employee’s Mailing Address

    Basically enough information for someone to quite easily file a fake tax return in your name. Not to mention potential abuse from stalkers, etc.

  3. ron

    Anything left with Equifax that hackers did not manage to get their hands on?

    With hundreds of Equifax security personnel everything seemed awesome until shipwrecked, then you see the true colors of organisations.

    Captains jumping with bags full of gold.

  4. Mike

    Rarely is there a need for historical salary information by external parties, other than “time at this company”. Nearly always, only the current salary to a first approximation is needed to make sure the product can pay the bills. Rarely, more detail is needed, say for making a salary offer. In that case, real forms of authentication should be used. Or pound salt and make a salary offer based on potential employee value instead of how much you can squeeze the potential employee.

    Seems like Equifax is caught up in legacy– Talx started by providing all this information, and now the customers want it to stay that way. Which brings up the question, if anyone can just suck data from Talx, exactly how is Equifax monetizing this? Or are they not directly monetizing the information and therefore there is not a Talx money stream to finance security? And if there is virtually no security, why are companies fixated on PII and SPI still giving Talx data (one can still access Talx after all). Something is stinking more in the Equifax ecosystem.

    1. Joe

      Mike, they monetize the employment and income history of employees at the companies they work with by selling the data to debt collectors, skip chasers, etc.

      1. T

        Among their customers are for-profit universities. They need a way of proving to the government that a fair percentage of their alumni are actually getting employed, so Equifax sells them a batch of data at something like $25 per alumnus. It’s permissible because they force their students to sign a credit release when they apply, unlike traditional universities.

        Related:
        http://www.theworknumber.com/Verifiers/Industries/Education.asp
        https://www.forbes.com/sites/kashmirhill/2013/02/04/equifax-the-work-number/#991a290d0ec8

  5. Jason Banning

    How can we opt out of this data being shared? I think it would be very, very harmful for a prospective job client to someone get access to this service, and use the data contained therein to discriminate, unfairly manipulate salary negations, or a harmful employer disrupting your future job prospects all together.

  6. Kim Olson

    System is Down for Naintenance. Hopefully, your story hrlped shed light on the problem.
    Thank!

  7. Dave

    The main site seems to be up again; however, when attempting to search for a Company Name or log in as an employee with my company’s name, I received the same message:

    Important System Maintenance Notice

    We are currently completing system maintenance in the area you tried to access.

    As part of our ongoing commitment to performance, reliability and security, Equifax Workforce Solutions will be servicing The Work Number starting Sunday, October 8, 2017. This will result in temporary service interruptions.

    If you have received this notice you may call our service center at 800-367-2884. We can assist you with Employee Data Report requests. However, we regret that we are unable to complete salary key requests at this time. Please revisit the site tomorrow for a status update and accept our apologies for any inconvenience this may cause.

  8. Jay NH

    I know the issue here is security, but another Equifax dirty secret is that the Work Number data is sold to debt collectors.

  9. Todd

    So a doctor has a laptop with PHI stolen, and he is fined by the feds, but Equifax basically gives out everything they have on 80% of the country and they get awarded more business by the government…..

  10. All-Purpose Guru

    It appears that someone at Equifax has realized that allowing you to search for a company name is a hole in their security, they’ve locked that out with the aforementioned “Important System Maintenance Notice”.

    If you know your company code, the system might still work…

    1. Jeff

      Nope. I entered my employer code and it’s still locked out (as of 10/12/17). I guess they have to re-architect their whole interface to make it secure.

  11. AP

    LMAO, looks like they pulled down these pages so they can FINALLY fix the issues.

  12. Hitoshi

    Scheduled Maintenance = Got A call from Brian Krebs !!!

  13. Anon

    A quick donation search of the following shows how equifax has monetized this system. In some cases it amounts to corporate and personal espionage imo.

    site:www.theworknumber.com filetype:pdf

  14. Felderburg

    Does this only work if employers opt in? The first thing it’s asking me for is an employer name, and there’s an FAQ that mentions “When an employer decides to use…” implying that not all employers use it. None of my previous employers work when I try to log in, and there doesn’t seem to be a way to just log in as a person.

  15. Linda

    Dang it. Its being fixed. I was going to use it to see if the guy I am dating really makes six figures!!! Or if he was just renting the Lamborghini he picked me up in???

  16. College Mera

    magnificent points altogether, you just received a new reader.
    What might you recommend about your put up that you just made
    a few days ago? Any sure?

  17. Osint

    Currently , Equifax still fail:

    cookies-session-without-secure-flag
    content-security-policy-not-implemented
    strict-transport-security-not-implemented
    DDoS Resillience: nah

    no learning curve can result in flatlining on the stock market 🙂

Comments are closed.