Customers of Equifax's talx payroll unit hit by tax refund fraud

Unauthorised access to customers’ employee tax records apparently took place between 17 April 2017 and 29 March 2017.

At least five large customers of Equifax’s payroll division have been sent a data breach notification following a series of tax refund fraud incidents over the last year.

According to information security blog Krebs on Security, the US-based credit bureau’s TALX subsidiary, now renamed Equifax Workforce Solutions, sent out a boilerplate text to several affected customers that indicated unauthorised access to customers’ employee tax records had taken place between 17 April 2017 and 29 March 2017.

Companies contacted included defence contractor giant Northrop Grumman; staffing firm Allegis Group; construction conglomerate Saint-Gobain; retirement community operator Erickson Living and the University of Louisville.

The extent of the fraud is currently unclear and Equifax has refused to say how many payroll service customers or consumers may have been affected. But the problem occurred when criminals were able to reset the four-digit PIN code given to customer employees as a password, before correctly answering knowledge-based authentication (KBA) questions such as the customer’s location.

Subsequent access to the TALX online portal enabled the crooks to steal W-2 wage and tax data. Such data can be used to file fraudulent tax refund requests with the Internal Revenue Service (IRS) and pertinent states on behalf of victims. According to the IRS, some 787,000 US citizens reported being hit in this way last year.

Avivah Litan, a fraud analyst with high tech market research Gartner said that Equifax should have known better than to rely on a simple PIN as a password. “That’s so 1990s,” he said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN.”

Litan added that TALX should have required customers to use two-factor authentication mechanisms such as one-time tokens sent to their email address or mobile device – something that the company says it is now doing.

But the Krebs blog also warned that KBA questions had been becoming less and less effective for years. The problem is that so much of the information needed to successfully guess answers to multiple choice questions is now indexed or exposed by search engines, social networks or third party online services, both criminal and commercial. As a result, the answers are easy to find if you know in which databases to look.