Cyber Incident Victim: PaperlessPay Corporation
Date:
Feb 2020
Location:
United States of America
Summary
PaperlessPay Corporation experienced a cybersecurity breach involving unauthorized access to its SQL server, discovered after being alerted by authorities about client data being offered for sale on the dark web. The compromised information potentially included employee names, addresses, Social Security numbers, bank account details, and payroll data from multiple client organizations across healthcare, municipal, and retail sectors. While the investigation confirmed the intrusion, it could not determine the exact scope of data accessed or exfiltrated. Affected individuals were notified through client organizations and offered credit monitoring services, though the total number of impacted employees remains unclear despite the company's large client base handling millions of payroll records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 19, 2020, PaperlessPay Corporation, a Jacksonville-based payroll services provider, was notified by the Department of Homeland Security (DHS) that its clients’ data was being offered for sale on the dark web. The company, which specialized in generating paystubs and W-2 forms for employers, immediately shut down its web server and SQL server upon receiving this alert. PaperlessPay initiated an internal investigation and cooperated with DHS and the Federal Bureau of Investigation (FBI) to assess the breach. Forensic analysis confirmed an unauthorized individual had accessed the company’s SQL server on February 18, 2020, though investigators could not determine whether the intruder viewed, copied, or exfiltrated specific data sets during the intrusion. The scope of the compromise remained unclear due to limitations in the investigative findings. On March 20, 2020, PaperlessPay notified its clients about the incident, advising them that employee data might have been exposed. The company did not publicly disclose the breach on its website despite ongoing media coverage and client notifications.
The potentially accessed data included employee names, addresses, pay and tax withholding details, Social Security numbers, and full bank account numbers if they appeared on paystubs. PaperlessPay clarified that routing numbers and bank names were not stored in its systems. Multiple clients, including Marshall Medical Center, Community Memorial Health System, Orlando Utilities Commission, MP Environmental Services, Fareway Stores, and Lee Auto Malls, issued breach notifications to their employees. Subsequent updates revealed additional affected organizations such as Spencer Municipal Hospital, City of Fort Lauderdale, RH White, Milford Regional Medical Center, Prisma Health-Midlands, and Emanate Health. PaperlessPay offered complimentary credit monitoring and identity theft protection to impacted individuals, though the total number of affected employees was not specified. The company’s client base included approximately 1,500 organizations, with systems processing over 8 million e-stubs, 106 million W-2s, and 2 million enrolled users, suggesting a wide potential impact. Some clients, including Orlando Utilities Commission, directed users to modify passwords by adding a character—a measure criticized for its inadequacy. PaperlessPay’s corporate communications emphasized its security investments, including the 2019 launch of the PPCStubs.com platform, but did not address the breach publicly or confirm whether all affected clients had been identified.