ADP, a provider of payroll, tax, and benefits administration, was hacked. With over 640,000 client companies, this had potential to be a catastrophic security breach of employee ID information. And the scary part…it can happen to you. HR systems are a prime target for hackers.
The ADP hackers used a process called “Flowjacking”, which allowed them to access ADP’s internal processes. A two-step approach in account set-up was discovered. The first step requires Social Security numbers and other personal data. The second step requires utilizing an activation code. Some client companies were not careful enough with these codes and posted them publicly on their websites. The posting of these activation codes online is what likely caused the breach.
A similar breach once happened to UltiPro, another payroll and HR management provider. In that instance the hackers retrieved W2 information and filed fake tax returns. The refunds were sent to prepaid American Express cards. The information was obtained by capturing login information, likely through a phishing scheme. Similarly, earlier this year the University of Virginia reported that hackers broke into a component of their HR system and attained access to sensitive employee information such as W2s and banking details. Again, the result of an email phishing scam.
Small companies are targets too. In 2013, the National Cyber Security Alliance reported that 50% of small-business owners said they had experienced a cyber-attack. No organizations are immune.
“Imagine the power of the HR system: It has full names, dates of birth, Social Security numbers, pay rates, employee bonuses and annual reviews,” says Chris Hadnagy, CEO of Social-Engineer Inc. and author of Social Engineering: The Art of Human Hacking. So what can organizations do to protect their employees’ sensitive information?
The approach needs to be two-pronged: 1) Educate employees to recognize phishing scams, etc.; 2) Properly secure HR systems and employees’ personal data.
Let’s learn some terminology in the hacking world:
Social Engineering – The exploitation of human rather than IT system weaknesses as part of a complex fraud scheme such as phishing.
Phishing – A person receives an email that purports to be from a legitimate source, such as their employer, and is asked to provide his or her account number and password or other sensitive information.
Vishing or Voice Phishing – A hacker calls targets to obtain desired information. Common examples include someone pretending to be a tech support specialist calling to verify an employee’s password or an AHR person calling to confirm direct deposit information.
Spear phishing – This is not like you’ve seen on Survivor. In this instance, a particular individual or organization is targeted, rather than a broader group.
Employees should be trained to recognize these various forms of social engineering. Experts suggest ongoing regular training versus an annual refresher.
Make employees aware of these social engineering red flags:
|
· An unexpected or unusual email with an embedded hyperlink or an attachment from someone you don’t recognize
· The sender’s email address contains a suspicious domain
· You have no relationship with the sender
· The email message is a reply to something you never sent or requested
· When you hover your mouse over a hyperlink in the email message, and the web address is for a different web site than stated in hyperlink text
· You receive an email with a hyperlink that is a misspelling of a known web site. For instance, www.bankofarnerica.com: the “m” is really two characters—an “r” and an “n.” Tricky!
· The sender included an email attachment that you were not expecting or that makes no sense in relation to the email message
· The sender asks you to click on a link or open an attachment to avoid a negative consequence or gain something of value
· The email has bad grammar and excessive spelling errors – big red flag!
|
|
Because of their access to highly sensitive employee information, HR departments provide an attractive target. In addition, the nature of an HR person is to help people, which also makes them an easy target.
Human Resource Security Tips:
· Don’t post individual HR email addresses online or give them out on the phone to people asking to send resumes. This gives hackers the email format for internal email addresses and identifies a particular HR person’s email that can be spooked in a phishing email.
· Be wary of applicants bringing in a resume on a USB drive. It could be infected with malware.
· Ensure proper security systems are in place before uploading files with confidential information to a cloud service.
· Make sure HR data protection matches the requirements of the countries where employees work, as well as countries where data is stored.
· Train HR staff in the social-engineering aspects of security and test their security awareness throughout the year.
· Make sure you are running the most current versions of all your software, in particular, your operating system and web browser.
· Use two-step authentication for account access. For example, if an employee logs in from an unknown computer, they would receive a text message containing an authentication code that is required in order to log in.
· Warn employees against logging in with free Wi-Fi service.
|
|
The bottom line is keep HR, as well as all employees, educated and security systems up to date. HR systems are a direct link to employees’ most vital and secure information. Otherwise, the company could be in the news like Snapchat earlier this year. A payroll employee opened an email that was a phishing scam that impersonated Snapchat's CEO, Evan Spiegel. In the email, a hacker posing as Spiegel requested payroll information for existing and ex-employees. The hacker then exposed that information to the outside world. The company is still reeling from the effects of that hack.
|
|
|
|
|
Sources: CCH 7/5/16, quickbooks.intuit.com/r/technology-and-security, esecurityplanet.com 6/3/14, securityweek.com 1/22/16, SHRM.org 6/24/14, CNN Money 2/29/16
|