Cyber Incident Victim: ComplyRight
Date:
Apr 2018
Location:
United States of America
Summary
A cloud-based human resources firm suffered unauthorized access to its tax preparation platform, compromising sensitive consumer information including names, addresses, phone numbers, email addresses, and Social Security numbers from client-submitted tax forms. The breach occurred over a month-long period, impacting a service used by approximately 76,000 organizations, primarily small businesses. Notification letters sent to affected individuals were criticized for vagueness, with many recipients unaware of their association with the company. A subsequent regulatory filing indicated 662,000 individuals were impacted. The incident exposed data processed through the firm's platform, which handled tax documentation such as W-2s and 1099s. Affected parties were offered 12 months of credit monitoring.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The security breach at ComplyRight, a cloud-based human resources and tax form processing company, occurred between April 20, 2018, and May 22, 2018. Unauthorized actors gained access to the company's systems, potentially compromising sensitive consumer information submitted through its tax preparation platform. The compromised data included names, addresses, phone numbers, email addresses, and Social Security numbers from tax forms such as 1099s and W2s. ComplyRight, based in Pompano Beach, Florida, and owned by parent company Taylor Corp., discovered the intrusion on May 22, 2018. The company's efile4biz.com web platform, used by approximately 76,000 organizations to prepare employment tax documentation, was identified as the affected system. While ComplyRight initially stated fewer than 10% of individuals with tax forms prepared through their platform were impacted, the full scope remained unclear due to the company's additional services handling Affordable Care Act and HIPAA-related paperwork.
ComplyRight began mailing breach notification letters to affected consumers in July 2018, though these communications provided limited details about the incident's cause or extent. Many recipients reported confusion, as they had no direct relationship with ComplyRight and only interacted with the company through their employers or contractors. The company later disclosed through a Wisconsin Department of Agriculture, Trade and Consumer Protection filing that 662,000 individuals were affected. In response, ComplyRight offered 12 months of free credit monitoring to impacted persons and recommended filing IRS Form 14039 to obtain Identity Protection PINs, which help prevent tax refund fraud. The breach raised questions about the effectiveness of ComplyRight's security measures, which had previously emphasized encryption during data transmission and displayed third-party security seals. No specific technical details about the attack method were confirmed, though analysis suggested potential website compromise leading to credential theft before data encryption. The incident highlighted risks associated with centralized processing of sensitive employee data by third-party service providers.