InstaCart, a grocery and home essentials delivery service, denies a data breach is the source of customer information being sold online on hacker forums. It says it believes the information was stolen from its platform using a “credential stuffing” attack. According to BuzzFeed News, sellers on two dark web stores are hawking information from 278,531 InstaCart accounts. South African branch of consumer credit reporting agency Experian discloses data breach.

In May 2016, ADP, a payroll processing company, experienced a data breach that exposed the tax information of some employees of its clients, making them vulnerable to tax fraud and identity theft. Cybercriminals exploited unique ADP corporate registration codes posted on unsecured websites to create fake ADP accounts and access the tax information. The breach was discovered after several customers reported fraudulent transactions made through ADP’s self-service portal, with at least one institution, U.S. The hacked companies reset the passwords of the affected accounts and notified the affected users of the breach. The website with the most passwords stolen was Facebook with 318,000, however the hacked company that possesses the biggest risk to businesses is ADP, which is a popular payroll management app.

The victim companies were the ones that published their signup link and code somewhere publically accessible. ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked. In his report, cybersecurity journalist Brian Krebs noted that at least one institution, U.S. Bank, one of America’s most sizable commercial banks, has duly notified a portion of its workforce affected by the stolen W-2 data, pointing to a “weakness in ADP’s customer portal”. Things like bank account numbers and social security numbers are stock and trade for legions of hackers.

• It’s estimated that as many as 2.5 million accounts are affected by the incident.
• The hacked companies reset the passwords of the affected accounts and notified the affected users of the breach.
• The agency says the company did not have enough risk management controls in place before the incident took place.
• If you use ADP, your best move from here is to contact them directly to find out if any of your employee records were impacted.

The information is from W-2 forms, the documents workers get from their employers in late January or early February so they can file their annual tax returns with the Internal Revenue Service and state tax departments. Politics and management blunders are very high here and if you can avoid those traps ADP can be a great company to work for. A very fast paced sales environment, that rewards its employees with high compensation. Scammers view small businesses as an easy target, mostly due to their lack of resources. If you have any questions about our Stratus.hr security measures and/or would like information about personal security products for employees such as Lifelock, please contact us.

Be sure to include as many details of the suspected vulnerability as possible, including the product tested, date, account names, etc. By submitting the vulnerability reporting form, you confirm that you are meeting the requirements of the ADP Vulnerability Disclosure Program. Some client companies were not careful enough with these codes and posted them publicly on their websites. Armed with a stolen social security number and a code grabbed from some public domain source, hackers can inject themselves into ADP’s normal process, and make off with thousands, and perhaps even millions of people’s personal information. ADP is the world’s largest HR firm, handling tax and payroll accounts for more than 640,000 companies that collectively employ millions of people. It may be possible that your company is one of the hundreds of thousands that rely on ADP for this function.

• This included monitoring the web for any other clients who may have shared their signup links and unique company codes, and turning off self-service registration access if such codes were found.
• Experts have identified the importance of keeping the security of IT supply chains and contractors intact as these represent potential weak points in the security of any organization.
• Additionally, ADP investigated the unauthorized access after receiving reports of fraudulent transactions made through its self-service portal and worked with a federal law enforcement task force to identify the perpetrators.
• The website with the most passwords stolen was Facebook with 318,000, however the hacked company that possesses the biggest risk to businesses is ADP, which is a popular payroll management app.
• According to the National Cyber Security Alliance, 20% of American small businesses are attacked by cyber criminals.
• Cybercriminals took advantage of the available information and used them to create fake ADP accounts.

Does Amazon use ADP for payroll?

Much has been said in the recent past about the growing sophistication of hacking attacks, and this latest, sadly successful attack on ADP is a perfect example of that sophistication. The data exposed in the breach included tax information of employees of some ADP clients. If you suspect fraudulent activity on your account, contact your assigned ADP client service team for assistance. Data security threats today move fast and are increasingly sophisticated.

Third-party risk management

The first step involves setting up the account, which requires social security numbers and other personal data that hackers are very good at getting their hands on. HR giant ADP, which provides payroll, tax and benefits administration for more than 640,000 companies, was hit hard by identity thieves this week. The perps made off with tax and salary data, according to a report from Brian Krebs—although the actual number of people affected has yet to be revealed.

Additionally, many companies post unique ADP identification codes publicly for the convenience of their employees. ADP is a third-party service provider that offers payroll, tax and benefits administration to its vast clientele of over 640,000 companies around the world. Using a process called “Flowjacking”, hackers were able to determine the work and data flow of ADP’s internal processes. They found out, for example, that setting up a user account with the company was a two-step process.

Both U.S. Bank and ADP said the actual number of affected employees was limited, but did not reveal exact numbers. ADP also told Krebs that the same fraud was used against “a very small subset” of ADP’s total customers this year. If you are an employee of an ADP client adp hacked and are concerned about the breach, you may visit Have I Been Pwned to check if your credentials have been compromised. Of course, the minuscule possibility means nothing if you’re in that small group that was hacked.

What should affected users do?

Norton Rose Fulbright is currently helping multiple companies investigate and respond to these types of incidents.

Marine Money Week New York 2025

ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters. It says affected stores may have had customer data exposed, including basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Credit card and other financial information was not affected by the incident, it adds. The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code.

By way of inserting a malicious code into the software, hackers managed to access information provided by customers making purchases. Dave, an overdraft and cash advance service, confirms data breach resulting in the theft of a database containing 7.5 million user records. According to news reports, cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees. ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal. The breach was discovered after several customers reported fraudulent transactions made through ADP’s self-service portal.

Among other controls listed above, Stratus.hr is currently undergoing an SOC I audit that, after completed, will include a risk assessment to hone our security practices and help us reduce our overall vulnerabilities and threats. Performing this annual audit helps us proactively ensure that our internal controls are suitably designed to meet our objectives. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. For more specific help and instructions related to ADP’s data breach, please contact ADP Customer Service directly. On May 31, Alberta’s Security Management for Critical Infrastructure Regulation (the Regulation), came into force.

I don’t know if the message is a legitimate email or a phishing attempt. Can ADP help confirm its validity?

Also watch for any follow-up correspondence from the IRS about your real or possible fake returns and respond immediately. On the tax side, if you know or even just suspect that your ID has been stolen, the IRS recommends you send it Form 14039, Identity Theft Affidavit. This puts the agency on alert for your Social Security number and other information that could show up on a fake return. If you use ADP, your best move from here is to contact them directly to find out if any of your employee records were impacted.