Cybercriminals accessed a W-2 portal maintained by payroll company ADP recently to glean sensitive information about employees at a handful of companies.
The company is stressing that the company itself wasn’t hacked, but that it appears identity thieves may have been able to create ADP accounts in the names of victims using previously leaked personally identifiable information.
The problem ADP claims was a self-service registration portal that allowed attackers to set up fraudulent accounts in the names of employees at those undisclosed companies.
An investigation carried out by the company determined that attackers likely pieced together information on victims using other information published about them online. Any individuals who had their W-2 information compromised, likely had their information compromised previously, ADP claims.