Cyber Incident Victim: Equifax Inc.
Date:
May 2016
Location:
United States of America
Summary
Identity thieves exploited weak default authentication in Equifax's W-2Express portal, using employees' last four Social Security digits and birth years as PINs to access tax and salary data. The breach impacted multiple organizations, including a major grocery chain and universities, enabling fraudulent tax refund filings. Affected individuals risked IRS rejection of legitimate returns due to preemptively filed fraudulent claims. Equifax acknowledged unauthorized access via compromised personal information from external sources but did not disclose the full scope. The victim organization offered credit monitoring services unrelated to Equifax while collaborating to investigate and secure the system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2016, identity thieves exploited weak authentication controls in Equifax’s W-2Express portal to steal employee tax and salary data from multiple organizations, including Kroger, Stanford University, and Northwestern University. Attackers accessed electronic W-2 forms by entering default PINs consisting of the last four digits of employees’ Social Security numbers and their four-digit birth years. Kroger, the largest U.S. grocery chain with over 431,000 employees, notified affected current and former staff on May 5 after discovering unauthorized access to its Equifax-hosted payroll records. The breach occurred because Equifax’s system allowed authentication using these predictable default credentials, which criminals likely obtained from prior unrelated data breaches. Kroger clarified that only employees who had not changed their default PINs were vulnerable, though the exact number compromised remained undetermined during initial investigations. Similar incidents impacted Stanford University (600 employees) and Northwestern University (150 employees) earlier in 2016 through the same Equifax service.
The stolen W-2 data enabled criminals to file fraudulent tax returns to claim illegitimate refunds, with victims typically discovering the theft only after IRS rejection notices or direct fraud alerts. Kroger initiated credit monitoring services for affected personnel through an unspecified third-party provider, explicitly excluding Equifax from this role. Equifax acknowledged the breach in a public statement, attributing the incident to attackers leveraging publicly available personal information and emphasizing the need for stronger authentication practices. The company collaborated with victim organizations and law enforcement to investigate the scope and secure the portal, though it did not disclose the total number of affected companies beyond confirmed cases. No technical details about intrusion methods beyond credential misuse were revealed, nor were attacker identities or motives specified beyond financial fraud objectives. The incident highlighted systemic vulnerabilities in Equifax’s authentication design, which multiple client organizations relied upon as a standard configuration despite its inherent security shortcomings.