Cyber Incident Victim: ADP
Date:
Apr 2016
Location:
United States of America
Summary
Fraudsters accessed tax and salary data from ADP's customer portal by exploiting static authentication mechanisms, leveraging pre-existing personal information—including names, dates of birth, and Social Security numbers—to create unauthorized accounts. The attackers targeted multiple customer organizations that inadvertently published company-specific registration links and codes online, enabling access to employee W-2 forms for fraudulent tax refund filings. ADP confirmed the breach impacted a small subset of its clients, emphasizing that the stolen personal data originated outside its systems. The payroll provider responded by implementing web monitoring to detect exposed customer codes and disable self-service registration, while exploring supplemental authentication measures such as knowledge-based questions. A financial institution customer acknowledged publicly sharing its portal credentials for employee convenience but discontinued the practice post-incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2016, identity thieves stole tax and salary data from ADP, a payroll and benefits administration provider serving over 640,000 companies. The attackers targeted ADP’s customer portal by registering fraudulent accounts in the names of employees at more than a dozen client organizations, including U.S. Bancorp. The theft occurred because victim companies inadvertently published sensitive ADP account credentials—a custom registration link and a static company-specific code—on publicly accessible online resources. Fraudsters combined these exposed credentials with pre-acquired personal data (names, Social Security numbers, and dates of birth) to impersonate employees and access W-2 forms. U.S. Bank confirmed the breach affected a "small population" of its workforce, with criminals using the stolen W-2 data to file fraudulent tax refunds with the IRS. ADP clarified that the personal information used for account creation did not originate from its systems, emphasizing attackers obtained it from external sources. The incident highlighted vulnerabilities in ADP’s authentication framework, which relied on static identifiers vulnerable to compromise through basic personal details widely available in cybercrime markets.
ADP responded by implementing web-monitoring systems to detect and disable self-service registration for customers whose codes were exposed online. The company acknowledged that affected clients had deferred employee account creation while publishing the portal credentials, enabling unauthorized access. ADP’s Chief Security Officer Roland Cloutier noted existing security options, such as Personal Identification Codes (PIC), and revealed trials of knowledge-based authentication (KBA) questions to supplement verification. However, the article referenced IRS incidents where similar KBA systems failed due to reliance on publicly accessible data. U.S. Bank discontinued publishing the ADP portal link and code after the breach, having initially classified them as non-sensitive identifiers rather than authentication safeguards. The incident underscored systemic authentication weaknesses, with ADP maintaining its layered approach—including client codes and PICs—provided stronger security than IRS systems compromised in prior tax fraud cases. No quantitative impact beyond U.S. Bank’s "small subset" of affected employees was disclosed.