Since the beginning of the year there have been numerous reports of data breaches where criminals are gaining access to personal W-2, tax and payroll information by either hacking into on-line payroll systems or tricking employees into allowing access to this information.
On March 8, 2016 Ozaukee County reported that their payroll and tax portal “Greenshades” had been breached and the personal information of approximately 200 employees was compromised. According to the Greenshades website, they are experiencing an abnormal increase in identity thieves using personal information to log into the company’s system to access personal tax information.
Sequoia Union High School reported on February 3, 2016 that an unauthorized third party gained access to an office computer and accessed information on employees and retirees as a result of a phishing incident.
On February 24, 2016 Central Concrete Supply Co., Inc., Right Away Redy Mix, Inc, and Rock Transport, Inc. became aware of a data breach in which they believe a third party gained access to copies of 2015 W-2 income and tax withholding statements. The information was stolen through a sophisticated social engineering scheme in which an outside party posing as another person convinced a Central Concrete Supply employee to provide copies of documents by email.
In another breach, Turner Construction Company reported that certain person information was disclosed in an email to an unauthorized recipient. As a result, other persons may have obtained personal identifying information including name, social security number, name of each state in which wages or taxes were reported for the affected residents, and federal, state, local and Medicare earnings and tax withholding data.
Earlier this year a former records clerk at Tampa General Hospital was arrested for theft when it was learned that she accessed personal identifying information of patients and used that information to file $671,022 in fraudulent tax returns.
As these cases exemplify, criminals are targeting all types of businesses in order to gain access to the personal information of employees. It appears that they have shifted their focus from credit card data to the personal employee information that all businesses have. Whether that information is outsourced to a payroll firm or retained internally, they are using sophisticated social engineering and phishing schemes to trick unsuspecting employees to provide access to this information.