Trends In Data Breaches
Development Starts On The Age Of Conversation: Third Edition Book

Large Payroll Services Firm Gets Hacked

Last week, the Washington Post newspaper reported:

"Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information. Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations."

The hackers targeted a phishing e-mail message at only PayChoice's customers, an attempt to trick the customers into revealing their corporate bank account sign-in credentials:

"... a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to, the portal for PayChoice's online payroll service... If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC."

PayChoice's response to the breach:

"PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the site and instituted fresh security measures to protect client information, such as requiring users to change their passwords."

I checked the PayChoice site and didn't see a news release about the breach. The company's breach response seems quick but sloppy. It seems that the company responded to the breach only after its customers started receiving phishing e-mail messages. PayChoice says that only customers were affected by the breach. I wonder what other data was stolen that the company may not know about. Currently, the site includes a cryptic message warning its customers about the phishing e-mail message. A better and more comprehensive breach response would have included:

  • A full press release at the company's site
  • What other data the hackers stole when they broke into PayChoice's systems
  • Details and frequently asked questions for breach victims
  • A statement of what help PayChoice is offering to its breach victims and its employees
  • A statement about what PayChoice is doing to prevent future breaches

As I've written previously in this blog, identity criminals and fraudsters are smart and persistent. They will search for the weak link in a company's security defenses.

This breach serves notice to all financial services and related companies that handle consumers' sensitive payment and payroll information. Identity criminals first targeted consumers' computers. Then they targeted the banks for credit card information. Next, they moved upstream and targeted the credit card transaction processes. Now, they have moved further upstream and targeted the payroll processing services.


Feed You can follow this conversation by subscribing to the comment feed for this post.

John Taylor

Good one George. Apparently the company has not heard of the FACTA Red Flags Rule which they are subject to. Under that rule they are absolutely liable for the losses and since the loss was due to a hack they must fully disclose the incident(s)to all possibly affected. I think they have 90 days to do that from the date of discovery. The liability is also equally shared with the client company whose employees are affected.
They are also liable under GLB Safety Act and FACTA for failing to adequately protect the data they are entrusted with. The victims do not have to show penury damages in such a class action.
The FTC also has prosecutorial oversight and can mandate audits and call for fines, as per the TJX case. Good report, thanks!



Wow , pretty dangerous ! really sophisticated method

Account Deleted

Now that's called some sci-fi hacking. That can really cause a blunder specially for the small client companies. But there are surely some counter measures that can be taken to avoid this.

Account Deleted

I have been in a search of some of the information regarding hiring a Seo outsourcing services for my business as most of our capital comes from online registered clients. But how any one can save the website from such a hacking attacks and is there any counter measures that can be taken in real world.


This blog includes content primarily for consumers. So, it is not the place for answers to business questions you seek, like SEO services or anti-hacking methods. Hence, i have deleted the link you included in your comment.



I think it's necessary to get study about the payrolling. I am looking online information for it and also looking for some software tools that can help me in this.

The comments to this entry are closed.