HR Services Firm ComplyRight Suffers Major Data Breach

More than 7,500 customer companies were affected, and the number of individuals whose information was leaked is unknown.

Dark Reading logo in a gray background | Dark Reading

ComplyRight, a company that provides human resources functions to businesses, has begun notifying individuals of a data breach that may have exposed names, addresses, phone numbers, email addresses, and Social Security numbers taken from employee tax forms the company processed.

According to ComplyRight, the company has more than 76,000 customers, though it has not yet said how many were involved in the breach.

KrebsOnSecurity, which broke news of the breach on Wednesday, writes that it appears to be a compromise of the website itself, rather than customer communications to and from the website. In its report, KrebsOnSecurity said it could find no ComplyRight employee with a security title on LinkedIn.

In a statement provided to Dark Reading, Jeannie Warner, security manager at WhiteHat Security said, "As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W2s. The fact that the company touts its security prowess, yet Brian Krebs couldn't identify a single employee with a security title, is deeply concerning - and just another reason for consumers to question their trust in digital businesses."

A Qualys SSL Labs scan of the site efile4biz.com conducted by Dark Reading shows an overall score of "B", capped because the server doesn't support forward secrecy or AEAD cipher suites. It must be noted, however, that this was a scan of the public-facing site (which does contain login provisions for customers); customers transacting business with the company may be re-directed to other servers upon authentication.

Nevertheless, the fact that the page still support outdated protocols such as TLS 1.0 for sign in indicates that there may be other legacy vulnerabilities still in place in the site application code.

In the Web page disclosing the breach, ComplyRight notes that the breach occurred in late May 2018, while the disclosure occurred on July 18. Ryan Wilk, vice president of customer success at NuData Security, a Mastercard company, said, "One of the many dangerous things about breaches is the amount of time it takes for companies and end users to know their data is out in the open. From the moment a breach happens, hackers have ample time to broker the stolen names, Social Security numbers, tax data and other identifying information on the dark web – leaving customers and employees open to the impacts of identity theft."

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights