Cloud-based HR data services firm ComplyRight has notified clients that a security breach may have compromised their personal information.
Tax forms containing names, phone numbers, email addresses, and Social Security numbers submitted by clients on behalf of employees may have been accessed, security expert Brian Krebs reported.
ComplyRight is used by about 76,000 employers to prepare tax documents. The Florida-based company said no more than 10% of clients who used the platform for tax purposes were affected, but it refused to say which cloud service had been breached.
The HR firm reportedly discovered the unauthorized access on May 22, but that the breach had been taking place since April 20. The forensic investigation revealed users’ information had been viewed, but it could not determine whether it had been downloaded or acquired.
The website efile4biz.com manages the tax documents of ComplyRight clients, and claims “data protection is a primary concern” of the team. The site purportedly uses advanced security measures.
“The result is a level of data protection that would thwart even the most determined cyber criminals,” the site claimed. “We use the strongest encryption program available, as recommended by the federal government, to block the interception or interruption of information by a third party. Data is encrypted as soon as it’s entered on the site, and it says encrypted throughout the entire print, mail and e-file process.”
While ComplyRight is giving those affected 12 months of free credit monitoring, Krebs said it is “virtually useless” in preventing data thieves from opening new accounts in their victim’s name.
Last month, talent management software company PageUp also suffered a data breach that jeopardized the personal information of jobseekers.