Back in April, DataBreaches.net noted that Stanford University was notifying its employees about tax refund fraud. The fraud appeared to result from perpetrators downloading employees’ W-2 information from the university’s vendor, W-2 Express, and then using the info to file fraudulent returns. W-2 information typically includes an employee’s name and address, their wage and salary information, as well as federal, state, and other taxes that were withheld.
To access the W-2 forms from W-2 Express, the perpetrators needed to know the employees’ Social Security numbers and date of birth – but not even their full Social Security number and full date of birth, it appears.
W-2 Express is a service of Equifax, and Stanford University was not the only organization to report that their employees’ W-2 forms had been improperly accessed at W-2 Express. Northwestern University issued a similar report, as did grocery giant Kroger. In Kroger’s case, the login credentials were the last four digits of the SSN and the 4-digit year of birth. Equifax would not respond to an inquiry from this site as to whether that was their standard setup, but a Kroger spokesperson told Brian Krebs that other companies that relied on Equifax for W-2 data also used last four digits of the SSN and 4-digit birth year as authenticators. Kroger notified its employees of the risk of tax refund fraud in May. By the end of the month, the first potential class action lawsuit against Equifax had been filed.
How many other clients received similar reports is not known at this time. Nor has it been confirmed by Equifax whether W-2 Express requires that employees of clients use SSN and DOB as login credentials or if that is a decision made by the clients.
As Stanford University’s investigation continued, it was still not clear how the perpetrators would have obtained the employees’ SSN and date of birth. By the end of April, Stanford estimated that at least 700 employees had been impacted. A copy of Stanford University’s notification letter to employees has been uploaded to the Vermont Attorney General’s site.
DataBreaches.net sent Equifax an inquiry with five questions about the incident and its scope. In response, Equifax sent a response that did not provide any new information and certainly did not answer any of the questions posed. So here are the questions that DataBreaches.net think still need answering:
1. Does the W-2 Express service require the use of SSN and DOB as login credentials, or does the client determine whether they want to use SSN/DOB or an alternative set of credentials? And if there are alternatives to using SSN/DOB, what types of alternatives are there for login credentials?
2. Was W-2 Express’s authorization controls configured to lock out IP addresses coming from overseas or out of the employees’ geographic area? If not, why not?
3. What changes has W-2 Express made in response to these incidents to strengthen/harden access controls?
4. How many clients of W-2 Express reported that their employees became victims of tax refund fraud?
5. Is there any evidence that in addition to obtaining W-2 statements, the criminals also obtained these individuals’credit reports by using the same credentials?
If anyone knows the answers to these questions, please let this site know. The encryption key is on the home page for this web site if you wish to use encrypted email.
And perhaps there should be one more question – for the Federal Trade Commission:
6. In this day and age, when so many people have already had their identity information compromised, how can it possibly be considered “reasonable security” to use the last four digits of SSN and 4-year DOB as login credentials for something as important as W-2 information?