Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”
At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).
At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.
Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.
In a story in the financial industry publication National Mortgage News, Equifax said: “As access to the employee portal is restored, individuals must be re-authenticated and establish a unique PIN. Therefore, the data exposed in the cyber incident will not be sufficient to access The Work Number.”
The publication said Equifax declined to answer questions about whether the timing of the portal maintenance or the decision to add new security features were in response to the original Oct. 8 report here, quoting an Equifax spokesman saying the company opted to move up and expand a planned service outage.
“At that time, we also decided to accelerate the implementation of select security enhancements to our platforms which extended the service outage timeframe,” the spokesman said.
I walked through the newer, allegedly more secure portal with a friend and source who worked at a major firm that used The Work Number at some point previously, and at first we couldn’t figure out how to enter his default PIN. A quick search for his employer’s name and “The Work Number” turned up a PDF with instructions stating that the PIN consisted of the last two digits of the employee’s birth year, and the fourth and fifth digit of their SSN.
After passing that screen, the only “security enhancements” I saw that my source encountered was a prompt to enter his full name, date of birth, Social Security number, address, phone number and email, followed by the usual retinue of four multiple-guess “knowledge-based authentication” (KBA) questions. I’ve long been a critic of these KBA questions, because the answers usually are available using sites like Zillow and Spokeo, to say nothing of social networking profiles.
Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can glean your salary history by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.
I used to think that if you had a security freeze on your credit file at a credit bureau that the bureau would then be unable to ask these KBA questions. I’ve recently worked with several sources who had freezes on their files and yet were still asked these KBA questions. Those individuals may not have all been approved to continue whatever transaction was in progress after answering those questions, but in most cases it shocks folks who have freezes when they even get asked those KBA questions.
However, it seems that each of the cases I’ve seen in which the person had a freeze on their credit file, the applicant was asked only non-financial questions. In other words, they were given questions that one did not necessarily need access to one’s credit card or mortgage statements to answer successfully — such as the names of previous streets resided on or the names of lenders used in the past.
What’s interesting is that these types of questions tend to be easier to answer than, say, ‘What was the amount of your most recent car loan payment?’ That suggests that ID thieves could find people with credit freezes an easier target of services like this one because they face far easier KBA questions after they provide all of the target’s static information (DOB, SSN, etc).
If that sounds ironic or sad, remember that we’re talking about a company whose breach more severely impacted consumers who paid Equifax whatever fees the company is allowed to charge under state laws to freeze the consumer’s credit file.
We all sort of assumed this was the case when Equifax initially disclosed on Sept. 7 that the breach resulted in the theft of SSNs and other data on 143+million people, as well as some 209,000 credit and debit card numbers. But in written notifications recently mailed to victims of the breach, Equifax made it crystal clear that their credit card data was stolen because they once used it at Equifax to request a credit freeze or copy of their credit report.
Does your current or former employer share your salary data with Equifax? If so, were you able to access your salary history via The Work Number site? Sound off in the comments below about any “security enhancements” you encountered along the way.
If you’re still unsure what you should be doing in the wake of the breach at Equifax, see this Q&A.
Did you know that Equifax manages the “MySocialSecurity” site where immediately upon entering you have to put in, each time, your entire SSN?
Will this service become illegal in California on Jan 1st? http://www.sfgate.com/business/networth/article/New-law-bans-California-employers-from-asking-12274431.php
No, not necessarily.
These sorts of reports are used for background checks for people who have already accepted the employment offer, which includes salary. Typically these employment offers say “offer is contingent on results of a background check.” Depending on the way the law is written, there probably isn’t any issues with seeing previous salary if you’ve already negotiated and accepted your new salary.
These services are usually used to simply weed out liars. Its used for a verification for truthfulness on your resume/application. The Work Number can very easily modify the reports for California residents to say only the dates employed, position, and company.
I have a security freeze on all agencies, yet I was able to answer security questions easily and change my PIN.
Also, my employer apparently submits my salary, because I could find even my most recent (10/31/17) pay information.
Echoing Ross, is this service illegal in Massachusetts?
Massachusetts already has in place the law recently passed in California that does not allow prospective employers to ask for current salary info.
This is shocking.
Sure enough: armed with just the name a of a former employer, my SSN, and my date of birth, I was able to access EVERY SINGLE PAYCHECK I have received since 2006. This includes two employers, one a major corporation, the other a startup.
The question I have is: How does this information get to Equifax? Does an employer send this data explicitly, or are the data somehow syphoned off some database via an agreement that Equifax has with payroll processing companies? Is the government somehow involved?
I am going to send a letter to my congressman about this.
I understand that this week, ending 3Nov., our wonderful Congress just passed a bill that disallowed citizens from suing banks. Nice!
Knowing my own info, and guessing the pin (not last yr/45ssn digits but last 4ssn digits) was I was easily able to get my salary info and I have a freezes in place w/all agencies.
Lexis-Nexis bought Choicepoint for their consumer insurance data a few years back after that company had a series of major data breaches, I believe. Seems LN provides consumer info to insurers of all types regarding claims, credit, payment history, etc. You can get a copy of your full data file from them, file disputes on the info, and also freeze your file, but I wonder if this will make it difficult to obtain, maintain, or change insurance. Since most of us have to renew our policies every year, I wonder how big of a hassle this would be. Didn’t check into their fees. Any info, Brian, on Lexis-Nexis security concerns, breaches or business practices? Would you recommend doing a freeze with them? (It’s by snail mail only and requires hard copy documentation of ID info.)
Never heard of this but followed your instructions and discovered my employer has reported payroll information every pay period, in detail, to this outfit. Created my account not knowing the PIN my employer had created, but was allowed to answer security questions that were from my credit report, which has had a freeze on it for years. Then I was allowed to create my own PIN number.
What I want to know is why an Equifax credit freeze does not apply to this service.
To get a security freeze on my The Work Number employment report, I have to go through a separate procedure from the Equifax credit freeze.
In addition to all of my pay checks, the report lists all of my family members and their birthdates, in addition to my job title, as well as my dental insurance, vision insurance, and medical insurance.
If I had had a choice, I would never have consented to having my data sent to this service. For the few times I actually need to have my employment verified, I would gladly handle those on a case-by-case basis.
People should be contacting their employers and asking them if they use The Work Number. We should ask our employers what they are doing to ensure the data is safe that they are willingly continuing to give away to a company that’s been hacked multiple times.
Maybe if enough employees push back on their employers, employers will stop using this service.
My employer does have an account at The Work Number, and it looks like they have an account for me (the system accepted my SSN at logon), but nothing worked as the PIN, and it locked me out, which suits me just fine as long as it stays that way. I’ll check it again later.
My employer uses The Work Number. I tried to login, provided the username and initial PIN number that I located via google. Next, I was prompted for answers about financial based questions regarding a recent auto loan and mortgage loan. Even though I answered the 4 questions correctly, I received an error at the end, indicating that I should contact my employer or call an Equifax 800 number. This is almost certainly due to the credit security freeze that I have on all 4 credit bureaus.
Despite a freeze at all four bureaus I was able to “forgot PIN” my way in to my account. Name, SSN, address that matched a credit score, and 4 basic KBA was all it took…
To my horror, the report I generated myself had my current address on it – despite having left the US years ago. My current employer (or, the US arm of it) – or whoever they use for payroll – seems to be the likely cause of this.