ComplyRight breach: Consumers' personal data, Social Security numbers compromised via tax forms

• Compromised data included names, addresses, phone numbers, email addresses and Social Security numbers of individual tax form recipients.
• ComplyRight said less than 10% of individuals with tax forms prepared on the platform were impacted in the breach.
  

Human resources firm ComplyRight said it suffered a data breach that may have compromised the personal details of consumers from tax forms submitted by the company's business clients on behalf of their employees. The firm said it was alerted to the breach on May 22 that affected its tax reporting web platform that is used by various sites to prepare tax-related forms.

A subsequent investigation revealed that "unauthorized access" to the site persisted between April 20 and May 22, the firm said in a statement.

ComplyRight said it immediately disabled the platform and fixed the issue on the website.

"In consultation with third-party forensic cybersecurity experts, we took swift action to secure the data of our partners, business customers and the individuals potentially impacted," the company said. "The forensic investigators concluded that there was unauthorized access to our website resulting in compromise of personal information for some individual recipients of tax forms such as 1099 or W-2 forms."

The company has not offered specific details about the data breach and how it occurred.

However, security researcher Brian Krebs notes that the "most likely explanation is that intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms."

Sensitive data compromised

Compromised information includes names, addresses, phone numbers, email addresses and Social Security numbers of individual tax form recipients.

"Although the forensic investigation determined the information was accessed and/or viewed, the investigators were unable to confirm whether the information was downloaded or otherwise acquired by the unauthorized user," the company said.

ComplyRight said less than 10% of individuals with tax forms prepared on the platform were impacted in the breach. According to its website, about 76,000 organizations use its services to prepare tax forms such as 1099s and W2s on behalf of their employees or contractors.

It added that it is currently not aware of any identity fraud reports as a direct result of the incident.

The company is currently notifying all affected business and individuals of the breach, and is offering 12 months of free credit monitoring and identity protection services. It has also notified the law enforcement, the IRS and regulators including states Office of Attorney General of the breach.

"At ComplyRight, we take privacy and security very seriously and sincerely apologize for this occurrence. We have been providing businesses with tax reporting products and services for more than 30 years," the firm said. "This incident is unprecedented in our history and we immediately executed additional security measures and analysis of our platform and practices. We remain committed to maintaining the privacy of information entrusted to us and, moving forward, we will continue to strengthen our security protocols and practices."