ADP Customers: Your Employees are at Risk for Identity Theft
If your company is one of the almost 650,000 businesses utilizing ADP for their HR needs, your employees’ W2 data, including their social security numbers, might be vulnerable to identity theft.
While ADP itself was not compromised, hackers now use a process called “flowjacking” to turn ADP’s internal processes against their customers. Setting up an ADP account goes like this:
- The business creates a company ADP account using business information, such the business address, phone number, etc.
- ADP sends the company a unique activation code that is used by its employees to connect to the company ADP account.
- The employees set up their own ADP profile, using their personal information.
- Employees activate their personal ADP profile by entering the company’s unique ADP activation code.
A simple and secure enough process… Unless you post your ADP activation code on your website.
If a hacker gains access to the company’s activation code, all they have to do is create their own “dummy” account using illegally acquired information (such as a stolen social security numbers). After the “dummy” account is created with the stolen activation code, the hackers now have access to the employee’s personal information, which can be traded, sold, and/or otherwise utilized for fraudulent underground activities.
ADP has not commented on how many of its customers have been harmed by this process, because ADP itself was not hacked. If you are an ADP customer, it is important that you keep your activation code in a safe place; it is probably a good idea to contact your ADP rep and ensure that your company has not been impacted.
For more ideas on keeping your information safe and secure, feel free to contact a helpful member of Petronella Computer.