Friday, February 25, 2005

Incident: Online payroll service discloses W2 forms of thousands of US workers

Slashdot has a discussion of yet another incident that has resulted in the potential exposure of highly sensitive personal information of thousands of Americans: from the that-why-we-use-these-password-things dept.

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

For Canadians, W-2 forms are the same as our T4 tax forms that employers issue, which includes the name, address, social insurance number, income, deductions, etc.

A summary of the problem is reported in a Think Computer Whitepaper:

It is this feature of the PayMaxx system that is gravely flawed. While PayMaxx’s programmers took care to ensure that their system’s authentication software worked well, they took less care to protect the code that dynamically generated form W-2, and each form includes a person’s home address, aggregate payroll, and Social Security number. Perhaps the team that created it lost sight of the sensitivity of this information; as a programmer, it is easy to become focused on the detailed mechanisms that make your program work and forget about the “big picture,” but in any event, it is still not a very good excuse. The result of this mistake was that when Pay-Maxx announced the availability of 2004 W-2s on-line, the home address, aggregate payroll, and Social Security number of each and every one of PayMaxx’s customers became available to us here at Think. By simply changing one number in a hyperlink on PayMaxx’s “secure” web site, it was possible to scan through PayMaxx’s entire W-2 database for the year 2004.

PayMaxx stored each employee’s data record sequentially in a table—a perfectly normal and acceptable practice, and one that Think uses frequently in its own software, but also one which made it possible to always guess the ID of the next record by simply adding 1. In software based on the Think Lampshade platform, each HTTP request is checked against a security array to verify that the user signed in actually has access to the data being requested. In PayMaxx’s software, this process simply didn’t exist. Anyone with access to the system could view the W-2s of employees with whom they had had no connection whatsoever. Furthermore, by simply subtracting the first ID from the last ID that allowed this behavior, it was possible to ascertain the number of W-2 forms that PayMaxx had printed for the 2004 tax year: 25,468. In other words, a glitch on a single web page made it possible to access the Social Security numbers and salaries of 25,468 individuals nationwide.

Update: CNet news is reporting that PayMaxx has closed its service while it figures out how to fix the problem - Payroll site closes on security worries CNET

No comments: