Data Breach? Not Exactly… but Kinda?

May 12th, 2016 by admin

In John Cougar’s nostalgic anthem Cherry Bomb, he writes, longing for the good ol’ days: “That’s when a sport was a sport.”

Last week, I was longing for the good ol’ days when a data breach was a data breach…

As the world knows, on May 3rd, US Bank announced that hackers had stolen some of their employees’ W-2 information and other data from US Bank’s ADP Employee Portal.  This has been widely reported and understood as the May 3rd “ADP Breach,” a somewhat disingenuous moniker for the episode, as it turns out.

Some background, gleaned largely from the always-outstanding Krebs on Security columns HERE.

The attackers stole the victim’s personal information (dates of birth, social security numbers, etc.) from, as of this writing, an unknown source… not ADP, or US Bank for that matter.  Then, the bad guys:

  • Somehow acquired the URL and company code for US Bank’s ADP Portal, which US Bank admits they published to its employees with little restriction
  • Somehow correlated their stolen names, SSNs, and dates of birth with US Bank employees who had yet to register their ADP portal logins, meaning the hackers could use the published URL and company code to create passwords for the employees in the ADP Portal.
  • They then accessed the employees’ ADP portals to acquire W-2 and other data they then used to file false tax returns and collect fraudulent refunds

Now time for your multiple-choice quiz.  In this case, the organization victimized by a “breach” was:

B.  US Bank
D.  I have no idea…

I’m going with D.

Now, does ADP need to revisit its process for registering new employees of its customers in their company portals?  Of course.  Should US Bank be more careful with the ADP portal registration URL and company codes?  Without question.  Was ADP “breached”?  Certainly not in the traditional sense.

If someone steals my credit card and buys a flatscreen TV at Best Buy, was Best Buy breached?

They say a rumor makes its way half way around the world before the truth gets its boots on, and I think that adage may have some applicability here.

We’ll learn more about the details of this incident over the coming weeks, but it seems clear at this point that coining this an “ADP breach,” conjuring images of bad guys crawling ADP’s network, commandeering elevated credentials and stealing reams of W-2s is more rumor than reality.

Categories: Blog