MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.
Unlike many stories here about cloud service providers being extorted by hackers for ransomware payouts, this snafu appears to have been something of an inside job. Nevertheless, it is a story worth telling, in part because much of the media coverage of this incident so far has been somewhat disjointed, but also because it should serve as a warning to other payroll providers about how quickly and massively things can go wrong when a trusted partner unexpectedly turns rogue.
Clifton Park, NY-based MyPayrollHR — a subsidiary of ValueWise Corp. — disclosed last week in a rather unceremonious message to some 4,000 clients that it would be shutting its virtual doors and that companies which relied upon it to process payroll payments should kindly look elsewhere for such services going forward.
This communique came after employees at companies that depend on MyPayrollHR to receive direct deposits of their bi-weekly payroll payments discovered their bank accounts were instead debited for the amounts they would normally expect to accrue in a given pay period.
To make matters worse, many of those employees found their accounts had been dinged for two payroll periods — a month’s worth of wages — leaving their bank accounts dangerously in the red.
The remainder of this post is a deep-dive into what we know so far about what transpired, and how such an occurrence might be prevented in the future for other payroll processing firms.
A $26 MILLION TEXT FILE
To understand what’s at stake here requires a basic primer on how most of us get paid, which is a surprisingly convoluted process. In a typical scenario, our employer works with at least one third party company to make sure that on every other Friday what we’re owed gets deposited into our bank account.
The company that handled that process for MyPayrollHR is a California firm called Cachet Financial Services. Every other week for more than 12 years, MyPayrollHR has submitted a file to Cachet that told it which employee accounts at which banks should be credited and by how much.
According to interviews with Cachet, the way the process worked ran something like this: MyPayrollHR would send a digital file documenting deposits made by each of these client companies which laid out the amounts owed to each clients’ employees. In turn, those funds from MyPayrollHR client firms then would be deposited into a settlement or holding account maintained by Cachet.
From there, Cachet would take those sums and disburse them into the bank accounts of people whose employers used MyPayrollHR to manage their bi-weekly payroll payments.
But according to Cachet, something odd happened with the instructions file MyPayrollHR submitted on the afternoon of Wednesday, Sept. 4 that had never before transpired: MyPayrollHR requested that all of its clients’ payroll dollars be sent not to Cachet’s holding account but instead to an account at Pioneer Savings Bank that was operated and controlled by MyPayrollHR.
The total amount of this mass payroll deposit was approximately $26 million. Wendy Slavkin, general counsel for Cachet, told KrebsOnSecurity that her client then inquired with Pioneer Savings about the wayward deposit and was told MyPayrollHR’s bank account had been frozen.
Nevertheless, the payroll file submitted by MyPayrollHR instructed financial institutions for its various clients to pull $26 million from Cachet’s holding account — even though the usual deposits from MyPayrollHR’s client banks had not been made.
REVERSING THE REVERSAL
In response, Cachet submitted a request to reverse that transaction. But according to Slavkin, that initial reversal request was improperly formatted, and so Cachet soon after submitted a correctly coded reversal request.
Financial institutions are supposed to ignore or reject payment instructions that don’t comport with precise formatting required by the National Automated Clearinghouse Association (NACHA), the not-for-profit organization that provides the backbone for the electronic movement of money in the United States. But Slavkin said a number of financial institutions ended up processing both reversal requests, meaning a fair number of employees at companies that use MyPayrollHR suddenly saw a month’s worth of payroll payments withdrawn from their bank accounts.
Dan L’Abbe, CEO of the San Francisco-based consultancy Granite Solutions Groupe, said the mix-up has been massively disruptive for his 250 employees.
“This caused a lot of chaos for employers, but employees were the ones really affected,” L’Abbe said. “This is all very unusual because we don’t even have the ability to take money out of our employee accounts.”
Slavkin said Cachet managed to reach the CEO of MyPayrollHR — Michael T. Mann — via phone on the evening of Sept. 4, and that Mann said he would would call back in a few minutes. According to Slavkin, Mann never returned the call. Not long after that, MyPayrollHR told clients that it was going out of business and that they should find someone else to handle their payroll.
In short order, many people hit by one or both payroll reversals took to Twitter and Facebook to vent their anger and bewilderment at Cachet and at MyPayrollHR. But Slavkin said Cachet ultimately decided to cancel the previous payment reversals, leaving Cachet on the hook for $26 million.
“What we have since done is reached out to 100+ receiving banks to have them reject both reversals,” Slavkin said. “So most — if not all — employees affected by this will in the next day or two have all their money back.”
THE VANISHING MANN
Cachet has since been in touch with the FBI and with federal prosecutors in New York, and Slavkin said both are now investigating MyPayrollHR and its CEO. On Monday, New York Governor Andrew Cuomo called on the state’s Department of Financial Services to investigate the company’s “sudden and disturbing shutdown.”
The $26 million hit against Cachet wasn’t the only fraud apparently perpetrated by MyPayrollHR and/or its parent firm: According to Slavkin, the now defunct New York company also stiffed National Payment Corporation (NatPay) — the Florida-based firm which handles tax withholdings for MyPayrollHR clients — to the tune of more than $9 million.
In a statement provided to KrebsOnSecurity, NatPay said it was alerted late last week that the bank accounts of MyPayrollHR and one of its affiliated companies were frozen, and that the notification came after payment files were processed.
“NatPay was provided information that MyPayrollHR and Cloud Payroll may have been the victims of fraud committed by their holding company ValueWise, whose CEO and owner is Michael Mann,” NatPay said. “NatPay immediately put in place steps to manage the orderly process of recovering funds [and] has more than sufficient insurance to cover actions of attempted or real fraud.”
Requests for comment from different executives at both MyPayrollHR and its parent firm ValueWise Corp. went unanswered, and the latter’s Web site is now offline. Several erstwhile MyPayrollHR employees reached via LinkedIn said none of them had seen or heard from Mr. Mann in days.
Meanwhile, Granite Solutions Groupe CEO L’Abbe said some of his employees have seen their bank accounts credited back the money that was taken, while others are still waiting for those reversals to come through.
“It varies widely,” L’Abbe said. “Every bank processes differently, and everyone’s relationship with the bank is different. Others have absolutely no money right now and are having a helluva time with their bank believing this is all the result of fraud. Things are starting to settle down now, but a lot of employees are still in limbo with their bank.”
For its part, Cachet Financial says it will be looking at solutions to better detect when and if instructions from clients for funding its settlement accounts suddenly change.
“Our system is excellent at protecting against outside hackers,” Slavkin said. “But when it comes to something like this it takes everyone by complete surprise.”
I’m wondering why this article is dated September 19 when today is September 17. It looks like all the comments are from this month & this year (September 2019), so apparently it’s not from a previous year. Hmm. Just a typo I guess.
You’re reading the date incorrectly. It is dated 9/11/19..
“Just a typo”, “Just a typo” Alona, you just keep thinking that. That’s exactly what they want you to think. We know whats really going on nothing happens by accident on the net. Displaying a date 2 days ahead of time has a meaning. We just need to figure out what that meaning is and then this whole thing begins to unravel and then we find out that the Matrix movie wasn’t fiction after all or worse yet neither was the movie Soylent Green.
You sir, need to learn to read correctly
Mike, I’m writing this slowly because I know you cant read fast.
The Internet is brain washing us little by little. Messing with the date format confuses us and makes us question reality, which is part of the plan. Frank is right.
Remember today’s science fiction is tomorrow’s science fact.
1) The date formatting on this website is unfortunate. Mike is correct. Please look at another article and make the correct inference.
2) Either you are paranoid or are trolling/looking to cause panic. Either way, go and find your happy place and quit stoking the fire. понима́ешь?
It is the Day (11) in big font, then month and year (Sep 19) below it in a smaller font.
Joe, look deeper. Look through the glass not into it and you will see the truth.
Can we get a list of the MyPayroll HR clients? I am a contractor who has not been paid for over a month by my company-and now they are not answering their phones or e-mails.
I have sent a letter and other info about my pay, but get no response. I’d like to confirm this is the issue before I pursue legal action against them.
Two weeks on, and there’s still no photo/image of Mr. Mann to be seen online. Nothing. Is it possible that Law Enforcement has asked the “online world” not to post anything?
Yes, law enforcement control all the interwebs.
Here is a video with a picture of him….. National news report
Well, looks like Mann is alive. He just hired an attorney. Sorry about this link, but it’s the best I have at the moment.
Good catch. Same was in WSJ the day before that.
“An attorney for Mr. Mann said his client was cooperating with investigators and would continue to do so.”
Cuomo is “disturbed” and some how this guy has not been arrested yet….
Interesting development: the CEO got arrested.
The only reason for the ny governor to chime in is because he didn’t get a dime out of the fraud.
This video explains why things are currently happening that do not make much sense. This video opened my eyes and it will open yours if you want to know the truth. #WWG1WGA https://www.youtube.com/watch?v=KVeDKuHPDK8
I’ll not waste your valuable time.
The too long didn’t read version of this comunicado is that we have multiple clients in similar but non competing industries and we think you’d make a great link partner.
Accepting any guest posts?
Or have a resources page maybe?
Or possibly could just edit a link into an existing page?
Perhaps you too are looking to increase traffic and search rankings, it’s possible a link exchange with one of our sites is a good match for you?
We’re open to anything really, if you’d like to discuss opportunities, just send an email to the submitted address and we’ll get right with you.
If not, thanks for reading and best of luck. Happy interneting!
P.S. You really should reply, then I’ll reply back, then you can laugh at my funny profile picture. I’d explain further but it would ruin the surprise.