July 19, 2018

Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.

Pompano Beach, Fla-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach. Indeed, many readers who received these letters wrote to KrebsOnSecurity asking for more information, as the company hadn’t yet published any details about the breach on its Web site. Also, most of those folks said they’d never heard of ComplyRight and could not remember ever doing business with a company by that name.

Neither ComplyRight nor its parent company Taylor Corp. responded to multiple requests for comment this past week. But on Wednesday evening, ComplyRight posted additional facts about the incident on its site, saying a recently completed investigation suggests that fewer than 10 percent of individuals with tax forms prepared on the ComplyRight platform were impacted.

According to ComplyRight’s Web site, some 76,000 organizations — many of them small businesses — use its services to prepare tax forms such as 1099s and W2s on behalf of their employees and/or contractors. While the company didn’t explicitly say which of its cloud services was impacted by the breach, the Web site which handles its tax preparation business is efile4biz.com.

ComplyRight says it learned of the breach on May 22, 2018, and that the “unauthorized access” to its site persisted between April 20, 2018 and May 22, 2018.

ANALYSIS

Even with the additional disclosure published to ComplyRight’s site, it’s difficult to accurately gauge the size of this breach. ComplyRight includes information about its tax solutions division here and it appears that they also file Affordable Care Act (ACA) and HIPAA paperwork. So, if these “solutions” are indeed part of the “tax reporting web platform,” then we’re probably talking way more beyond efile4biz.com’s 76,000 customers. And remember that each “customer” is a business that employs multiple people.

ComplyRight’s efile4biz.com Web site has long stated that the company employs the latest, most sophisticated security measures, noting that “the result is a level of data protection that would thwart even the most determined cyber criminals.”

“Data security is a primary concern with reputable e-file providers like efile4Biz.com,” the site explains. “We use the strongest encryption program available, as recommended by the federal government, to block the interception or interruption of information by a third party. “Data is encrypted as soon as it’s entered on the site, and it says encrypted throughout the entire print, mail and e-file process.”

The site also includes a Geotrust security seal intended to reinforce the above statement. While ComplyRight hasn’t said exactly how this breach happened, the most likely explanation is that intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms.

Translation: Assurances about the security of data in-transit to or from the company’s site do little to stop cyber thieves who have compromised the Web site itself, because there are countless tools bad guys can install on a hacked site that steals usernames, passwords and other sensitive data before the information is even encrypted and transmitted across the wire.

Also, it’s far from clear that data security is in fact a primary concern of ComplyRight. Let me explain: Very often when I’m having difficulty getting answers or responses from a company that I suspect or know has had a breach, I’ll start identifying and pestering the company’s executives via their profiles on LinkedIn.

As I did so in this case, I was surprised to discover that I couldn’t identify a single ComplyRight employee on Linkedin whose job is listed as related to security. Nor does it appear that ComplyRight is currently hiring anyone in these positions. I did, however, find plenty of network managers and software engineers, Web developers and designers, data specialists, and even several “poster guard specialists” (ComplyRight also produces workplace safety posters of the kind typically hung in corporate breakrooms).

It may well be that there are indeed security personnel working at ComplyRight, but if so they don’t seem to have a LinkedIn profile. Again, neither ComplyRight nor its parent firm responded to multiple requests for comment.

WHAT CAN YOU DO?

The company is offering 12 months of free credit monitoring to those affected by the breach. As I’ve noted several times here, credit monitoring can be useful for helping people recover from identity theft, but it is virtually useless in stopping identity thieves from opening new accounts in your name.

A more comprehensive approach to combating ID theft involves adopting the assumption that all of this static data about you as a consumer — including your name, date of birth, address, previous address, phone number, credit card number, Social Security number and possibly a great deal more sensitive information — is already breached, stolen and/or actively for sale in the cybercrime underground.

One response to this increasingly obvious reality involves enacting a security freeze on one’s credit files with the major consumer credit reporting bureaus. See this primer from last year’s breach at Equifax for more details on how to do that, and for information on slightly less restrictive alternatives.

In addition, people who received a letter from ComplyRight may also file a Form 14039 with the U.S. Internal Revenue Service (IRS) to help reduce the likelihood of becoming victims of tax refund fraud, an increasingly common scam in which fraudsters file a tax refund request with the IRS in your name and then pocket the refund money.

Any American can be a victim of refund fraud, whether or not they are owed money by the IRS. Most people first learn they are victims when they go to file their tax return and the submission is rejected because someone already filed in their name.

By filing a Form 14039, you are asking the IRS to issue you a special one-time code — called an IP PIN — via snail mail that must be entered on subsequent tax returns before the return can be accepted by the IRS.

A couple of caveats about this form: If you request and are granted an IP PIN, make sure you store the information in a safe place that you will be able to access next year when it comes time to file your taxes again (a clearly labeled folder in a locked filing cabinet is a good start).

Also, understand that enrolling in the IP PIN program requires taxpayers to pass an identity-proofing process called Secure Access. This process includes making specific credit inquiries to big-three credit bureau Experian, which means if you already have a security freeze on your consumer credit file with Experian you will need to temporarily thaw the freeze before completing the enrollment. For those contemplating a freeze and seeking an IP PIN, complete the Secure Access enrollment with the IRS before enacting a freeze.

Update, July 23, 8:00 a.m. ET: In a breach notice sent to Wisconsin’s department of consumer protection, ComplyRight said its data breach affected 662,000 people. Thanks to @PogoWasRight for sharing this link.


34 thoughts on “Human Resources Firm ComplyRight Breached

  1. Sarah

    Hi Brian,

    I just wanted to mention that you get a new IRS IP PIN each year, the previous one is not reused.

    And a question, I received a separate email from another security party that mentioned, starting September, ALL credit freezes would be free at the 3 big bureaus, is this true?

    Thanks!

      1. Sarah

        Thank you! I hadn’t taken the time to research it myself, as ours are already frozen, but I appreciate the info!

    1. Bob

      According to my personal experience within the past month (July, 2018), all temporary thaws have already become free (whereas 1 year ago, they weren’t)… This is in WA state, in case that matters.

  2. Nick

    Well, the SSL/TLS settings on efile4biz.com certainly cast doubt on their claim that they “employ the latest, most sophisticated security measures”. According to Qualys SSL Labs, TLS 1.0 (which has been vulnerable for years and went EOL on June 30th) is still enabled and they don’t support forward secrecy or authenticated encryption ciphers. ..

  3. The Sunshine State

    Not to mention the breach at LabCorp this week

  4. Tom Graham

    Brian,
    Thank you for specifically also depicting the possibility (if not likelihood) of tax refund fraud.

    Having received an employer notification letter earlier this week, I had contacted ComplyRight Wednesday morning (7/18/2018) specifically requesting that they provide notice and updates via their website. Thank you for this update that they have now done so.

    On that same call, I specifically asked that they address whether any other key data elements associated with W-2 filings were involved (specifically including employer name, gross wages and withholdings) knowing the value of that data in tax refund fraud (and for other general identity theft purposes.)

    They would not respond other than to repeat the data elements that were depicted in the letter.

    Unfortunately, because most letter recipients (and employers) won’t recognize the name ComplyRight, I suspect that most letter recipients will consider the letter as bogus and disregard it (to their detriment).

  5. Stratocaster

    Look for a new SEC filing to change the firm’s name to ComplyWrong.

  6. Niranjan

    For the experts here, one question

    Are these kinds of breaches targeted more towards US residents because of well defined structure like SSN/DOB used almost everywhere?

    Are European organizations targeted less because of size of the market (many countries, could be that they have different ways of identifying the residents and relatively smaller population) or we just don’t hear about European breaches in US much?

    May be stricter privacy laws are helping to European countries.

    1. Pete

      The main difference is that “identity theft” as in getting lots of money simply by knowing facts about a person works in USA (and to some extent UK) but not so much in most of EU.

      If a copy of my passport, birth certificate and bank account statements would be floating around on the internet then I’d be unhappy because of privacy reasons, not financial ones. Someone having it wouldn’t really give a fraudster any reliable way to obtain any significant money (unlike USA). It might be useful for trying some confidence tricks or personalized phishing or scams, but having all my information is not sufficient (or cost-effective) for actual impersonation / identification to any organization who cares about not losing money.

      Authentication without a pre-existing relationship tends to rely either on physical in-person verification of reasonably secure national IDs or piggybacked on bank account verification. For example, there’s lots of reports about cheating SMS-based 2FA in USA by transferring the phone number to the fraudster; but that’s a USA-specific problem because *there* “something you know” is sufficient; doing the same here would require forging a passport, which raises the barrier/cost of doing that.

      This means that there are less breaches because there’s less motivation for semi-organized fraudsters to do them, there’s much less potential revenue so it’s more profitable to target companies with data on USA residents.

    2. Reader

      Pete’s comments are accurate and leave little to add regarding Europe.

      It’s important to point out that:

      1. The US has the most pro-capitalism market of any large country, so Americans have more per-capita income than other people. That’s a huge target.

      2. The US is a country of great freedoms and opportunities, so there’s a tremendous amount of experimentation and growth in the business sector. Unfortunately, that often outpaces good sense and security measures.

      3. Being first comes at a cost. US electronic infrastructure and financial systems were developed before other countries developed theirs, and when the current scale of globalized criminal organizations and state-sponsored hacking wasn’t envisioned.

      The rest of the world benefited from watching early US mistakes, before installing their own systems. (Just like looking over the neighbor’s lawn before deciding to try their landscaper).

      For criminals intending to make a lot of money, the rest of the world is slow, poor, and cautious, by comparison to the US. It’s far easier and profitable to go after a rich country with a lot of security holes.

    3. timeless

      Sometimes the lack of digital systems is protection. France appears to send out tax documents by post and I suspect expects returns to be returned the same way.

      Also note that the US rakes citizens to file taxes even if they live abroad. Most countries stop when you move away. I’m not sure about the proportion of the population in European countries who ate homeless or who move regularly, but I suspect it’s lower than in the US. Most European countries as far as I know precalculate your taxes and send them to you for verification. I suspect withholding is generally more accurate than in the US. Also it’s likely that there are fewer tax loopholes/variables.

      Finally, at least in the US, there’s a law which requires the IRS to speedily process refunds—often before the IRS receives the corresponding information from employers.

      Is there fraud in Europe? Yes, here’s a simple example:

      https://www.thelocal.fr/20140814/fraudsters-target-french-taxpayers-with-promise-of-refund

      Also, note that most European countries aren’t English speaking, so their fraud attacks won’t naturally make English best unless they’re gigantic.

      1. dt085

        US law doesn’t require prompt refund, but IRS must pay interest on refunds more than 45 days after the filing deadline, which they (not surprisingly) dislike and try to avoid. A 2015 law (PATH) moved up filing of W-2, and 1099-MISC with nonemployee compensation, to Jan. 31 starting last year (2017) although implementation by both payors and IRS the first year was uneven (as is common for such changes). Even so, NTA’s recent ‘objectives’ report (v.1 p.15) quotes TIGTA confirming 94%+ matching for returns filed Feb. 17, 2017 and later, which was about 2/3 of them.

  7. Bob

    Our breach was from a CPA using efile4biz to file and send a 1099, from 5 years past. Not very happy with the Taylor Corporation, ComplyRight and efile4biz. The notice letter was so sketch that I believe most people would suspect it as a scam. More detail was needed and the telephone response by ComplyRight was just horrible.

  8. Shelly

    How will the victims know that they are being victimised so that they can file the Form 14039 immediately?

      1. Jeff

        Do you know if employers who used ComplyRight have any obligation to track down ex-employees and inform them? Or would the notification come directly from ComplyRight?

        1. Randy

          I agree. What happens to people who have moved? I hope they plan to locate people who no longer use the address they have on file.

  9. Soaptrail

    I received a letter but my work has stated they do not use complyright and are investigating.

  10. Rikeen

    The letter is very ambiguous. Several of our Clients are confused and wondering whether the breach came from us.

    As previously stated, the letter is so poorly written that it seems like a scam.

    I am very curious as to how their system compromised given their state-of-the-art security…

  11. Justin

    Brian, can you clarify how to get the Form 14039 approved? I have previously tried to get a free credit freeze due to my data being in the Equifax breach and was told by both Equifax and identitytheft.gov that I didn’t qualify as I wasn’t a victim *yet* as my info was only stolen, my *identity* wasn’t stolen (i.e. used for some nefarious purpose). Form 14039 has similar language that requires you to be an actual victim of “identity theft” not just a data breach.

  12. Monica Stern

    There were two letters sent. One was to the payer (the business) and a different letter to the recipient. My business received a letter and my husband, who is a 1099 recipient got a different letter offering 12 months of credit monitoring.

    Form 14039 can’t be filed unless you have a tax return breach. It is not used for these types of breaches.

    1. BrianKrebs Post author

      Monica,

      Thanks for your comment. I know that used to be the case, but it seems the IRS now does allow you to check a box saying your request is not related directly to an ID theft incident. From the link in the story to the form on the IRS’s site:

      “Some taxpayers who are not victims of tax-related identity theft may use the Form 14039 to obtain an IP PIN by checking Box 2 on the form, indicating no tax administration impact. They will receive a letter inviting them to use the “Get an IP PIN” tool to obtain an IP PIN.”

  13. 2MonthOldLetter

    My first thought that this letter was a scam. If ComplyRight learned about their security breach on May 22nd (almost 2 months ago), why are they just now sending out snail mail letters to everyone that was potentially affected? Identity theft on the Internet is lightning quick and anyone who wanted to would have opened fraudulent accounts long ago. The fact that ComplyRight is offering “1 year free” service tells me that after a year they will start sending everyone automatic renewal charges with very little information on how to cancel prior to the year ends. If it smells “funny”, then it probably is “funny” business.

  14. PDo

    I had a conversation a few months ago with a “Chief Audit Executive” of my credit union regarding the process the CU had established for the election of their Board of Directors.

    As we e-mailed/called each other over time, I realized how many entities — entities about which I had never heard — were handling aspects of my banking with the CU.

    It was ridiculous, and so I can easily see why someone might treat the ComplyRight letter as a scam.

    And all this time I thought I was dealing with my credit union, not Check Printing Company A, Tax Form Managing Company B, Car Loan Company C, and on, and on…AND on.

    Who knew?!

  15. Nick Doe

    The breach of social security numbers, personal emails, and pictures can make a person liable to several mistakes. Getting in touch with the right security agency can be helpful to people who are a potential victim of tax return fraud. Thanks for sharing.

  16. Julie

    I received one of these letters, I did think it was a scam but checked here and I guess it is real. My question is, what service can I use going forward to issue 1099s to my subcontractors next year? Complyright came highly recommended. I live overseas and cannot issue these documents via snail mail.

  17. Dave

    I went to mytrueidentity.com as stated in the letter from ComplyRight to sign up for my free one year online credit monitoring service by TransUnion. I couldn’t find the place to enter the 12-letter Activation Code provided by ComplyRight, so I completed the boxes for their FREE monthly credit monitoring which automatically renews each month. Soooo… Is ComplyRight just acting as a conduit to get people to sign up with TransUnion? Is there really a one year online credit monitoring that ComplyRight is underwriting when TransUnion’s service itself is free? I smell a rat!

Comments are closed.