A data breach at ComplyRight, a firm that provides HR and tax services to businesses, may have affected 662,000 people, according to a state agency. It has also prompted a lawsuit, which was filed in federal court by a person who was notified that their personal data was breached. The lawsuit seeks class-action status.

The ComplyRight data breach included names, addresses, phone numbers, email addresses and Social Security numbers, some of which came from tax and W-2 forms.

ComplyRight's services include a range of HR products, such as recruitment, time and attendance, as well as an online app for storing essential employee data. This particular attack was directed at its tax-form-preparation website. Hackers go after customer and employee data. The Identity Theft Resource Center 2018 midyear report, for instance, lists every known breach so far this year. It said the compromised data is a shopping list of HR managed data.

Company: No more than 10% of customers affected The breach occurred between April 20 and May 22, and the company notified affected parties by mail. ComplyRight, in a posted statement, said "a portion (less than 10%)" of people who have their tax forms prepared on its web platform were affected by a cyberattack, but it did not say how many customers were affected by its breach. The company knows the data was accessed or viewed, but it was unable to determine if the data was downloaded, according to the firm's statement. But the state of Wisconsin, which publishes data breach reports, has shed some light on the scale of the impact. It reported the ComplyRight data breach affected 662,000 people -- including 12,155 Wisconsin residents. A spokesman for Wisconsin Department of Agriculture, Trade and Consumer Protection said this figure was provided verbally to the state by an attorney for ComplyRight. Rick Roddis, president of ComplyRight, based in Pompano Beach, Fla., said in an email that the firm won't be commenting, for now, beyond what it has posted on the site. Among the steps ComplyRight said it took was the hiring of a third-party security expert who conducted a forensic investigation. The firm is also offering credit-monitoring services to affected parties. Security expert Nikolai Vargas, who looked at the firm's statement, said ComplyRight "is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident." "In cases of a data breach, it is important to disclose how long the exposure occurred and the scope of the exposure," said Vargas, who is CTO of Switchfast, an IT consulting and managed service provider based in Chicago. ComplyRight stating that "less than 10%" of individuals were affected "doesn't really explain how many people were impacted," he added. "Technical details are nice to have, but they're not always necessary and may need to be withheld until protections are put in place," Vargas said.

Federal suit alleges poor protection [ComplyRight] is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident. Nikolai VargasCTO at Switchfast The ComplyRight data breach was reported by Krebs on Security, which had heard from customers who had received breach notification letters. Susan Winstead, an Illinois resident, received the notification from ComplyRight on July 17, outlining what happened. She is the plaintiff in the lawsuit filed July 20 in the U.S. District Court for the Northern District of Illinois. The lawsuit faults ComplyRight for allegedly not properly protecting its data and not immediately notifying affected individuals, and the suit seeks damages for the improper disclosure of personal information, including the time and effort to remediate the data beach.