Reported late last week was an article that exposed a data-loss (breach) where Cyber Criminals stole W-2s from the Credit Bureau Equifax. We will be referring to this as the ‘Equifax Breach’ here on out. So far, the only place we have been able to find this article is on KrebsOnSecurity.com – the long standing breaker of cyber-news, Brian Kreb’s article details how the breach occurred.
At least two customer’s of Equifax division W-2 Express were affected in this equifax breach. W-2 forms were exposed as a weak ‘PIN’ system was implemented.
Thus far, the only known affected customers of W2Express are Kroger and Northwestern University. We do expect the number of customers affected to rise if the same weakness was used by other customers W2Express, as opposed to being enforced by Kroger and Northwestern University.
At this time, we do not know if this was a suggested setup by Equifax, or if the grocer and university came up with the weak PIN codes themselves. The breach came to light after Kroger provided information to their employees on credit monitoring services to be provided to them, and Northwestern University also posted information for staff last week. Again, the affected staff members will be provided credit monitoring during the coming year at least.
The Kroger information release went on to detail how the cyber criminals stole the data using a default login scheme which is weak in the extreme. A simple ‘PIN’ code made up of the last 4 digits of a social security number, plus the 4 digit year of birth were used to protect W-2 information on Equifax’s website W2express.com for at least two of their large customers.
Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
“It appears that unknown individuals have accessed [Equifax’s] W2Express website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger wrote in a FAQ about the incident that was included with the letter sent to employees. “We have no indication that Kroger’s systems have been compromised.”
The FAQ continued:
“At this time, we have no indication that associates who had created a new password (did not use the default PIN) were affected, and we are still identifying which associates still using the default PIN may have been affected. We believe individuals gained access to some Kroger associates’ electronic W-2 forms and may have used the information to file tax returns in their names in an effort to claim a fraudulent refund.”
“Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals’ information was accessed.”
Kroger said it doesn’t yet know how many of its employees may have been affected.
The incident comes amid news first reported on this blog earlier this week that tax fraudsters similarly targeted employees of companies that used payroll giant ADP to give employees access to their W-2 data. ADP acknowledged that the incident affected employees at U.S. Bank and at least 11 other companies.
Equifax did not respond to requests for comment about how many other customer companies may have been affected by the same default (in)security. But Kroger spokesman Keith Dailey said other companies that relied on Equifax for W-2 data also relied on the last four of the SSN and 4-digit birth year as authenticators.
We have a feeling there will be more customers of Atlanta based W-2 Express who come forward with information about their staff being affected by the equifax breach..
One thing is for sure – the information obtained now allows the cyber-criminals to perform a full Identity Theft of the victims whose W-2 data was exposed in this data breach.