Cyber Incident Victim: Alpha Payroll Services
Date:
Mar 2016
Location:
United States of America
Summary
A payroll services provider suffered a data breach when an employee fell victim to a phishing email impersonating the company's CEO, resulting in unauthorized access to all clients' employee W-2 forms containing sensitive personal and financial information. The compromised data included names, addresses, Social Security numbers, salary details, and tax information, creating risks for tax fraud and identity theft. In response, the organization terminated the involved employee, engaged investigative experts, notified law enforcement agencies including the IRS and FBI, implemented mandatory phishing awareness training for staff, and offered affected individuals one year of complimentary identity protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early March 2016, Alpha Payroll Services LLC experienced a significant data breach when an employee fell victim to a phishing email impersonating the company’s CEO. The fraudulent email, received on or around March 1-2, used a disguised sender address matching the CEO’s legitimate email and specifically requested copies of all 2015 W-2 forms processed for the company’s clients. The employee complied with this request, transmitting sensitive W-2 data containing employees’ full names, addresses, Social Security numbers, wage and salary details, tax withholdings, and employer information. This information is highly valuable for criminal activities such as tax refund fraud and identity theft. The incident was categorized as a Business Email Compromise (BEC) attack, part of a broader trend that saw at least 100 similar incidents reported by mid-2016. The breach impacted all clients of Alpha Payroll Services, a division of Alpha Card Services, though the exact number of affected individuals was not disclosed in available reports.
The breach was discovered by Alpha Payroll Services’ internal team, prompting immediate response measures. On April 29, 2016, external legal counsel from Vedder Price formally notified the New Hampshire Attorney General’s Office about the incident. The company terminated the employee responsible for complying with the phishing request and engaged external experts to assist with forensic investigation. Law enforcement agencies, including the IRS Criminal Investigation Division and the FBI, were contacted to support the inquiry. APS implemented mandatory retraining for all employees on phishing awareness and verification protocols for email requests. As remediation for affected individuals, the company offered one year of identity protection services through AllClear ID. No evidence suggested misuse of the stolen data at the time of reporting, but the exposure created substantial risks for identity-related fraud across the payroll provider’s client base.