Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.

Pompano Beach, Fla-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach. Indeed, many readers who received these letters wrote to KrebsOnSecurity asking for more information, as the company hadn’t yet published any details about the breach on its Web site. Also, most of those folks said they’d never heard of ComplyRight and could not remember ever doing business with a company by that name.

Neither ComplyRight nor its parent company Taylor Corp. responded to multiple requests for comment this past week. But on Wednesday evening, ComplyRight posted additional facts about the incident on its site, saying a recently completed investigation suggests that fewer than 10 percent of individuals with tax forms prepared on the ComplyRight platform were impacted.

According to ComplyRight’s Web site, some 76,000 organizations — many of them small businesses — use its services to prepare tax forms such as 1099s and W2s on behalf of their employees and/or contractors. While the company didn’t explicitly say which of its cloud services was impacted by the breach, the Web site which handles its tax preparation business is efile4biz.com.

ComplyRight says it learned of the breach on May 22, 2018, and that the “unauthorized access” to its site persisted between April 20, 2018 and May 22, 2018.

ANALYSIS

Even with the additional disclosure published to ComplyRight’s site, it’s difficult to accurately gauge the size of this breach. ComplyRight includes information about its tax solutions division here and it appears that they also file Affordable Care Act (ACA) and HIPAA paperwork. So, if these “solutions” are indeed part of the “tax reporting web platform,” then we’re probably talking way more beyond efile4biz.com’s 76,000 customers. And remember that each “customer” is a business that employs multiple people.

ComplyRight’s efile4biz.com Web site has long stated that the company employs the latest, most sophisticated security measures, noting that “the result is a level of data protection that would thwart even the most determined cyber criminals.”

“Data security is a primary concern with reputable e-file providers like efile4Biz.com,” the site explains. “We use the strongest encryption program available, as recommended by the federal government, to block the interception or interruption of information by a third party. “Data is encrypted as soon as it’s entered on the site, and it says encrypted throughout the entire print, mail and e-file process.”

The site also includes a Geotrust security seal intended to reinforce the above statement. While ComplyRight hasn’t said exactly how this breach happened, the most likely explanation is that intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms.

Translation: Assurances about the security of data in-transit to or from the company’s site do little to stop cyber thieves who have compromised the Web site itself, because there are countless tools bad guys can install on a hacked site that steals usernames, passwords and other sensitive data before the information is even encrypted and transmitted across the wire.

Also, it’s far from clear that data security is in fact a primary concern of ComplyRight. Let me explain: Very often when I’m having difficulty getting answers or responses from a company that I suspect or know has had a breach, I’ll start identifying and pestering the company’s executives via their profiles on LinkedIn.

As I did so in this case, I was surprised to discover that I couldn’t identify a single ComplyRight employee on Linkedin whose job is listed as related to security. Nor does it appear that ComplyRight is currently hiring anyone in these positions. I did, however, find plenty of network managers and software engineers, Web developers and designers, data specialists, and even several “poster guard specialists” (ComplyRight also produces workplace safety posters of the kind typically hung in corporate breakrooms).

It may well be that there are indeed security personnel working at ComplyRight, but if so they don’t seem to have a LinkedIn profile. Again, neither ComplyRight nor its parent firm responded to multiple requests for comment.

WHAT CAN YOU DO?

The company is offering 12 months of free credit monitoring to those affected by the breach. As I’ve noted several times here, credit monitoring can be useful for helping people recover from identity theft, but it is virtually useless in stopping identity thieves from opening new accounts in your name.

A more comprehensive approach to combating ID theft involves adopting the assumption that all of this static data about you as a consumer — including your name, date of birth, address, previous address, phone number, credit card number, Social Security number and possibly a great deal more sensitive information — is already breached, stolen and/or actively for sale in the cybercrime underground.

One response to this increasingly obvious reality involves enacting a security freeze on one’s credit files with the major consumer credit reporting bureaus. See this primer from last year’s breach at Equifax for more details on how to do that, and for information on slightly less restrictive alternatives.

In addition, people who received a letter from ComplyRight may also file a Form 14039 with the U.S. Internal Revenue Service (IRS) to help reduce the likelihood of becoming victims of tax refund fraud, an increasingly common scam in which fraudsters file a tax refund request with the IRS in your name and then pocket the refund money.

Any American can be a victim of refund fraud, whether or not they are owed money by the IRS. Most people first learn they are victims when they go to file their tax return and the submission is rejected because someone already filed in their name.

By filing a Form 14039, you are asking the IRS to issue you a special one-time code — called an IP PIN — via snail mail that must be entered on subsequent tax returns before the return can be accepted by the IRS.

A couple of caveats about this form: If you request and are granted an IP PIN, make sure you store the information in a safe place that you will be able to access next year when it comes time to file your taxes again (a clearly labeled folder in a locked filing cabinet is a good start).

Also, understand that enrolling in the IP PIN program requires taxpayers to pass an identity-proofing process called Secure Access. This process includes making specific credit inquiries to big-three credit bureau Experian, which means if you already have a security freeze on your consumer credit file with Experian you will need to temporarily thaw the freeze before completing the enrollment. For those contemplating a freeze and seeking an IP PIN, complete the Secure Access enrollment with the IRS before enacting a freeze.

Update, July 23, 8:00 a.m. ET: In a breach notice sent to Wisconsin’s department of consumer protection, ComplyRight said its data breach affected 662,000 people. Thanks to @PogoWasRight for sharing this link.

Tags: ComplyRight breach, efile4biz.com, Equifax, Experian, IP PIN, security freeze, tax refund fraud