July 1, 2021

Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month.

Intuit says the change is tied to an “exciting” and “free” new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit.

“In early fall 2021, your QuickBooks Online Payroll subscription will include an automated income and employment verification service powered by The Work Number from Equifax,” reads the Intuit email, which includes a link to the new Terms of Service. “Your employees may need to verify their income and employment info when applying for things like loans, credit, or public aid. Before, you likely had to manually provide this info to lenders, creditors or government agencies. These verifications will be automated by The Work Number, which helps employees get faster approvals and saves you time.”

An Intuit spokesperson clarified that the new service is not available through QuickBooks Online or to QuickBooks Online users as a whole. Intuit’s FAQ on the changes is here.

Equifax’s 2017 megabreach that exposed the personal and financial details of 145.5 million Americans may have shocked the public, but it did little to stop more than a million employers from continuing to sell Equifax their employee payroll data, Bloomberg found in late 2017.

“The workforce-solutions unit is now among Equifax’s fastest-growing businesses, contributing more than a fifth of the firm’s $3.1 billion of revenue last year,” wrote Jennifer Surane. “Using payroll data from government agencies and thousands of employers — including a vast majority of Fortune 500 companies — Equifax has cultivated a database of 300 million current and historic employment records, according to regulatory filings.”

QuickBooks Online user Anthony Citrano posted on Twitter about receiving the notice, noting that the upcoming changes had yet to receive any attention in the financial or larger media space.

“The way I read the terms, Equifax gets to proactively collect all payroll data just in case they need to share it later — similar to how they already handle credit reporting,” said Citrano, who is founder and CEO of Acquicent, a company that issues non-fungible tokens (NFTs). “And that feels like a disaster waiting to happen, especially given Equifax’s history.”

In selling payroll data to Equifax, Intuit will be joining some of the world’s largest payroll providers. For example, ADP — the largest payroll software provider in the United States — has long shared payroll data with Equifax.

But Citrano said this move by Intuit will incorporate a large number of fairly small businesses.

“ADP participates in some way already, but QuickBooks Online jumping on the bandwagon means a lot of employees of small to mid-sized businesses are going to be affected,” he said.

Why might small businesses want to think twice before entrusting Equifax with their payroll data? The answer is the company doesn’t have a great track record of protecting that information.

In the days following the 2017 breach at Equifax, KrebsOnSecurity pointed out that The Work Number made it a little too easy for anyone to learn your salary history. At the time, all you needed to view someone’s entire work and salary history was their Social Security number and date of birth. It didn’t help that for roughly half the U.S. population, both pieces of information were known to be in the possession of criminals behind the breach.

Equifax responded by taking down its Work Number website until it was able to include additional authentication requirements, saying anyone could opt out of Equifax revealing their salary history.

Equifax’s security improvements included the addition of four multiple-guess questions whose answers were based on publicly-available data. But these requirements were easily bypassed, as evidenced by a previous breach at Equifax’s employment division.

The Work Number is a user-paid verification of employment database created by TALX Corp., a data broker acquired by Equifax in 2007. Four months before the epic 2017 breach became public, KrebsOnSecurity broke the news that fraudsters who specialize in tax refund fraud had been successfully guessing the answers to those secret questions to reset TALX account PINs, which then let them view past W-2 tax forms for employees at many Fortune 500 companies.

Intuit says affected customers that do not want this new service included must update their preferences and opt-out by July 31, 2021. Otherwise, they will be automatically will be opted in. According to Intuit, customers can opt out by following these steps:

1. Sign in to QuickBooks Online Payroll.

2. Go to Payroll Settings.

3. In the Shared data section, select the pencil and uncheck the box.

4. Select Save.


33 thoughts on “Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax

  1. Nobby Nobbs

    Thanks for the heads-up, Brian.
    I hope they get massive push-back on this.

    Reply
    1. James sandoval

      They will. Oh btw did you know anyone can launder money in my name, I have A ssn that’s printed on my tndvl10830698, and I don’t have access but everyone else does, also TransUnion has A separate database for me, which is why so many breaches have happened, my credit is always 499 but really 720, they are really trying to cover this up for sex trafficking account, in my name, plus the underground shelters are famous here, they have 7500 kids ready for whatever

      Reply
  2. Apollo

    Criminals are also celebrating this news. That is a treasure trove of data waiting to be stolen. Sales and Marketing Departments will never see eye to eye with their Risk/Fraud/Cyber Security counterparts.

    Reply
  3. BoKnows

    Who voted to put all of our financial data in the hands of the inept? We truly live in the dumbest system.

    Reply
  4. Rich W

    Suppose you’re an employee at a business that is using Intuit (or previously employed). Can I, as an employee, opt out of this? I tried logging into the site and it gave me an “Access denied” message. I’m ASSUMING that this means I cannot opt out of the program.

    Of course, this may be a moot question since they can say anything and do with my data whatever they want to, even if I can somehow opt out.

    Reply
    1. BrianKrebs Post author

      As I understand it, the decision is up to whoever administers the payroll account for the small business. AFAICT, there isn’t a way for individual employees to opt out.

      Reply
    1. Quid

      Anne,

      You may not be any safer being retired.
      Have you set up and secured accounts on SSA.gov, IRS.gov, USPS, placed a freeze on you data with the 3+ credit bureaus, etc. as described in Brian’s previous articles?

      Reply
  5. Tiny Naylor

    I don’t understand how anything positive could result from this kind of information sharing. For example, it’s 100% legal in most places in America for someone who owns a small business to hire their relatives to work for them. I started working in a family owned store when I was 10 years old. All I can foresee is headaches for the business owner and the employee if they don’t meet the expected standards.

    Reply
  6. Jeff Strubberg

    As long as it’s legal to monetize the personal data of others, this will continue.

    You can lay 95% of personal data loss directly at the feet of marketing.

    Reply
  7. Security and Privacy guy

    California residents may be able to prevent this. If Intuit hasn’t changed, and sought permission for, the change in processing from the owners of the data, they could be laying themselves open to a lot of private Rights of Action under CCPA or CPRA. I think they’re trying to release the information as fast as possible to slide under the wire of CPRA effectivity, which is exactly as underhanded as I’d expect Equifax to be.

    Reply
  8. Houston Vanhoy

    Q: What could possibly go wrong?

    A: Anything that you can imagine, and much more – Murphy’s Law in full force.

    Thank you for keeping us informed, Brian.

    Reply
  9. Scott

    Equifax, et al. is likely asking small employers to unwittingly violate the data security and privacy rights of the states in which they operate. There are many states with new and expanding requirements for employers and business to provide “due care” to safeguard customer and employee data!

    Reply
  10. Bob Brown

    I bailed from Intuit when they tried the hidden price increase for TurboTax. They are clearly not to be trusted.

    Reply
  11. Bart

    This is another example that highlights why it has become so necessary to have proper privacy and data ownership legislation. It should simply be illegal for somebody to sell or share your data that you provided for a specific purpose without your consent!
    I wonder if this is already disallowed under the EU GRDP rules and if this is a US problem only?

    Reply
    1. P.D.

      Bert,

      I don’t think there are, what with all the K street lobbyists rollerskating down the halls of Congress, tossing bags of money into each office as they wheel by. (There are four lobbyists to each member-around 1500 last time I checked.)

      Heck, there’s no Federal law that we can bring down on MSFT for the 700 million+ LinkedIn breach, AFAIK!

      The DOJ really needs to start knocking some heads around, including those of The Credit Nazis.

      Reply
    2. Daudi Justin

      The problem is that the data they are seeking to convert does not belong to the individual employees, it belongs to the employers. This is because it is the employers records despite the fact that the records contain information about you. Similar to your bank statement. This belong to the bank as business records, which is why there is no privacy right in bank statements. Thus, even if there were adequate data protection legislation that prohibited the sell or sharing of an individual’s personal data, all intuit would need to do is get explicit authorization from the employers and they’d likely be in compliance with the law. They could easily incentivize employers to induce them to agree by some sort of profit sharing.

      Reply
  12. dave

    Naturally they happened to choose to use the word “shared” when in reality, the correct word is “sold”. Intuit is making bank selling the private financial data of these businesses and employees.

    Reply
  13. Unblinking

    In the realm of business ethics, Equifax may win the race to the bottom — but Intuit will be right on their ass.

    Reply
  14. dj

    Intuit jumps on the sell(out)-my-customers party train?

    Intuit customers pay intuit to, among other things, sell them to equifax and others.

    Small businesses cannot afford to deal with the highly likely harm done by this.

    Reply
  15. JPA

    This kind of stuff will continue to happen until citizens in the US stop drinking the kool-aid of government is the problem and start taking back their government and using it to rein in the power of corporations. Regulation and taxation are the antidotes to this disease.

    Reply
    1. The Wannabe tech guy

      If government isn’t the problem, why do we need to “take it back”? Also, I don’t think many people care about their info being sold or stolen, sadly.

      Reply
      1. Frank

        That comment looks like something a bot would auto-generate. Poor grammar, and conflicting ideas as you pointed out.

        Reply
  16. Anselm Davis

    As long as companies like Equifax can offer “free credit monitoring” instead of facing real punishment, they will continue to have crappy security.

    Reply
  17. Doug F

    Why do we always have to ‘opt out’? I think it should be mandatory that sharing like this is ‘opt in’.

    Reply
  18. Steve Grieb

    Ah, c’mon Doug F, you know why “opt out” is always required.

    Reply
  19. Mahhn

    Super criminals are abound, no super heros. Life as a human is similar to a dairy cow, not really worth living. Just more skimming off the cattle, nothing to see here.

    Reply
  20. Frank

    Individual employees can freeze their reports though, similar to other freezes for credit data.

    Reply
  21. Al Farnschlader

    Good afternoon,
    We use Quickbooks desktop pro 2021. The opt out tips in the article don’t work for this version. Had an online chat with support and was told this version was not affected by this. Does this pass the smell test?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *