Cyber Incident Victim: Equifax Inc.
Date:
Apr 2016
Location:
United States of America
Summary
A subsidiary of Equifax experienced unauthorized access to employee tax records due to weak authentication practices, including easily reset 4-digit PINs and reliance on personal knowledge-based questions vulnerable to exploitation. Attackers stole W-2 data, enabling fraudulent tax refund filings. The breach impacted multiple organizations, though the full scope remains unclear. Security weaknesses included outdated single-factor authentication and insufficient safeguards for sensitive information, highlighting broader industry vulnerabilities in protecting personally identifiable data without mandated stronger measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Equifax TALX payroll division incident involved unauthorized access to employee tax records between April 17, 2016, and March 29, 2017. Attackers exploited weak authentication protocols in TALX's online portal, resetting employee 4-digit PIN passwords and successfully answering personal knowledge-based authentication (KBA) questions to gain access. This allowed theft of W-2 tax data containing sensitive personally identifiable information (PII) including Social Security numbers, addresses, and income details. Equifax confirmed the breach through boilerplate notifications sent to affected customers, though the company stated it could not forensically determine exactly which accounts were compromised due to the attacks appearing as legitimate logins. At least five organizations received breach notifications: Northrop Grumman, Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In communications with the New Hampshire attorney general, TALX attorneys acknowledged the security failures while minimizing the incident's scope, claiming only "a small percentage" of potentially affected accounts were actually breached.
The compromised W-2 data enabled large-scale tax refund fraud, with attackers filing false returns using stolen employee information. This mirrored prior IRS security failures in 2015 when fraudsters exploited similar KBA weaknesses in the agency's "Get Transcript" system, which also relied on Equifax authentication services. Security analysts criticized TALX's reliance on static 4-digit PINs and outdated KBA questions, noting that answers could be easily obtained through commercial data brokers, social networks, or previously breached databases. Equifax implemented two-factor authentication via email or mobile tokens post-breach for notified customers. The incident highlighted systemic vulnerabilities in protecting PII, as credit bureaus faced no federal mandates requiring strong authentication despite handling highly sensitive data. Impacts included IRS reporting of 787,000 tax fraud victims in 2016, though improved screening had reduced this by 50% from 2015 levels. Victims typically discovered the fraud only after their legitimate tax returns were rejected due to prior fraudulent filings.