Last week, the Washington Post newspaper reported:
"Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information. Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations."
The hackers targeted a phishing e-mail message at only PayChoice's customers, an attempt to trick the customers into revealing their corporate bank account sign-in credentials:
"... a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service... If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC."
PayChoice's response to the breach:
"PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords."
I checked the PayChoice site and didn't see a news release about the breach. The company's breach response seems quick but sloppy. It seems that the company responded to the breach only after its customers started receiving phishing e-mail messages. PayChoice says that only onlineemployer.com customers were affected by the breach. I wonder what other data was stolen that the company may not know about. Currently, the onlineemployer.com site includes a cryptic message warning its customers about the phishing e-mail message. A better and more comprehensive breach response would have included:
- A full press release at the company's site
- What other data the hackers stole when they broke into PayChoice's systems
- Details and frequently asked questions for breach victims
- A statement of what help PayChoice is offering to its breach victims and its employees
- A statement about what PayChoice is doing to prevent future breaches
As I've written previously in this blog, identity criminals and fraudsters are smart and persistent. They will search for the weak link in a company's security defenses.
This breach serves notice to all financial services and related companies that handle consumers' sensitive payment and payroll information. Identity criminals first targeted consumers' computers. Then they targeted the banks for credit card information. Next, they moved upstream and targeted the credit card transaction processes. Now, they have moved further upstream and targeted the payroll processing services.