Cyber Incident Victim: Paycom Software
Date:
May 2023
Location:
United States of America
Summary
Paycom Software experienced a data breach due to a previously unknown vulnerability in a third-party vendor's MOVEit file transfer software. An unauthorized party accessed files from the company's MOVEit server, compromising personally identifiable information for a small percentage of its client base and their employees, as well as a limited number of internal employee records. The company promptly deployed patches and initiated an investigation, offering affected individuals identity monitoring services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or about May 28, 2023, a cybersecurity incident began impacting Paycom Payroll, LLC, a subsidiary of Paycom Software, Inc. The incident was not initially discovered by Paycom but was the result of a previously unknown vulnerability in the MOVEit file transfer software, a product of Progress Software Corporation, which Paycom used for a limited set of secure file transfers supporting client services and communications with certain outside vendors. This vulnerability, which could enable malicious actors to gain unauthorized access to sensitive files, was disclosed by the vendor on May 31, 2023, and is part of a wider global cybersecurity event impacting numerous organizations and governmental agencies.
The unauthorized third party exploited this MOVEit vulnerability to download copies of files from the Paycom MOVEit server. This action constituted an external system breach, or hacking, which provided the attacker access to data belonging to certain Paycom clients and their employees. The breach event occurred over a period of days, from May 28, 2023, to June 2, 2023. Paycom's internal investigation, conducted in partnership with outside independent cybersecurity forensic experts, discovered this breach on July 13, 2023.
The scope of the data compromise was confirmed through the forensic investigation. The unauthorized party gained access to personally identifiable information from employee records of approximately 127 former and current Paycom clients. This figure represented approximately 0.7% of the company’s total client base as of December 31, 2022. In total, the data of less than 0.4% of all persons on behalf of whom Paycom stored client data during the year ended December 31, 2022, was affected. A filing with the Maine Attorney General's office specified that the total number of persons affected, including residents, was 7,449, with 2 of those being Maine residents. The compromised information consisted of names or other personal identifiers in combination with driver's license numbers or non-driver identification card numbers. A limited number of internal company files stored on the same MOVEit server were also accessed, including certain employee records containing personally identifiable information.
In immediate response to the vendor's disclosure on May 31, 2023, Paycom promptly deployed cybersecurity defenses. This response included patching the MOVEit software according to the vendor’s published protocols to close the vulnerability. The company launched an internal investigation to determine the scope of the incident, engaging an external third-party computer forensics team to assist in verifying the impact. The company's public filing stated that there was no indication its primary HR and payroll software application was impacted by this incident and confirmed there had been no interruption to the company’s systems, services, or business operations as a result of the breach.
Following the discovery and investigation, Paycom began the process of directly contacting affected clients. The company provided formal written notification to all affected individuals, with the consumer notification process occurring on July 31, 2023. As part of its response, Paycom offered identity theft protection services to those impacted. The company provided affected individuals with identity monitoring services for a duration of 24 months through Experian's Identity Works program. Furthermore, Paycom automatically enrolled impacted current employees and their dependents in a company benefit that provided additional identity protection at no cost to the employees.
The company assessed the financial and operational impact of the incident, acknowledging certain remediation expenses and other potential liabilities. However, Paycom stated it did not believe the vendor incident would have a material adverse effect on its business, operations, or financial results. The incident was formally reported to the Securities and Exchange Commission in a Current Report on Form 8-K filed on May 31, 2023, and a data breach notification was submitted to the Office of the Maine Attorney General, providing details on the nature of the breach and the steps taken to notify and protect affected consumers.