The website of human resources firm ComplyRight was reportedly breached and sensitive data compromised, according to KrebsonSecurity. In addition to tax forms from thousands of the company’s clients, other sensitive information accessed in the breach included names, addresses, phone numbers, email addresses and Social Security numbers.
As part of his investigation, Krebs reported that he searched ComplyRight employee profiles on LinkedIn in an effort to reach members of the security department, yet he was unable to find anyone whose job title was related to security. He also noted that the company had no current listing for security job openings.
“The fact that the company touts its security prowess, yet Brian Krebs couldn’t identify a single employee with a security title, is deeply concerning – and just another reason for consumers to question their trust in digital businesses,” said Jeannie Warner, security manager at WhiteHat Security.
“Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern. And any company offering software as a service should have an obligation to perform the strictest security tests against vulnerable avenues into client networks: APIs, network connections, mobile apps, websites, databases," Warner said. "Interestingly, in a check on its website, it is still not advertising anyone in IT security, nor is security mentioned in the requirements for digital product hires.”
According to WhiteHat Security research, a number of web applications remain "always vulnerable" and susceptible to attack on a daily basis. “Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures – making them an easy target for hackers, who can exploit them and gain access to back-end corporate databases,” she said.
As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W-2s. While the size of the hack isn’t known yet, the company disclosed that it first learned of the incident in late May 2018, at which point it disabled the platform and remediated the issue on the website.
“In consultation with third-party forensic cybersecurity experts, we took swift action to secure the data of our partners, business customers and the individuals potentially impacted,” ComplyRight wrote in its incident notice. The company also reported that it initiated a through communication plan to alert those individuals potentially affected by the breach, which the company said is less than 10% of those who have prepared tax forms on the web platform.