W-2 TheftOne of the unfortunate side effects of most services and companies moving their business data entirely online is the opportunity for hackers and identity thieves to access huge databases of sensitive information all in one fell swoop. Numerous employers — and their employees — across the country have learned this the hard way in the past couple of months, as more than one website used to allow companies to give their employees W-2 access has suffered a breach. These data breaches weren’t direct hacks of the sites themselves, but instead cybercriminals taking advantage of weaknesses in the site’s setup and using personal information obtained elsewhere to log into legitimate accounts and access employee W-2s. Exactly how were these weaknesses exploited to allow tax fraudsters to obtain this information, and what does this mean for everyday people?

Equifax and ADP W-2 portals were targeted by identity thieves

Two companies that provide businesses access to employee W-2s were the victims of recent data breaches due to weaknesses in the security of their systems. These breaches share some similarities to those experienced by the IRS itself in the past couple of years.


Letters sent to current and former employees of grocery chain Kroger on May 5 indicated that the W-2Express website from credit bureau Equifax had been the target of a security incident, potentially exposing employees to tax identity theft. Thieves were able to access and download employee W-2s simply by inputting the default PIN assigned to each employee, which was nothing more than the last four digits of their social security number and their four-digit birth year. This type of information is easily accessible thanks to the high proliferation of data breaches over the past few years. Kroger’s employees are far from being the only victims of this W-2Express defect in security — in April, Stanford contacted 600 current and former employees to let them know their data was exposed, and Kroger spokespeople indicated that Experian uses the same PIN setup for all its customer companies.


Payroll, tax and benefits outsourcing company ADP saw a similar type of breach among at least a dozen of its clients. In the case of ADP customer companies, the security weaknesses came from multiple sources. ADP provides each of its customers with a custom, company-specific URL as well as an identifying code to access its customer portal. Thieves were able to access these portals and register accounts in employees’ names, once again using information stolen from other sources, after companies inadvertently published the portal information online but deferred employee access. Thus, since employees weren’t creating their accounts and logging in themselves, fraudsters were able to do so. In the case of U.S. Bancorp, one of the companies whose employees’ tax and salary information was stolen, the portal information was provided in an online company resource due to U.S. Bancorp not realizing it was confidential. ADP is currently monitoring online to try and track down any other client companies who might have published this information and get it removed, in hopes that there are no further W-2 thefts.

Any company whose employees were impacted will be contacting its employees to let them know about the issue. The only way to know for sure if your W-2 information was stolen, sadly, is to find out from the IRS itself after you file your 2016 tax return. The IRS will send a letter by mail if your tax information is determined to have been fraudulently filed.

How can you protect yourself?

Unfortunately, since many of these W-2 thefts occur when thieves gain access to external databases that employees often don’t even know about (or have declined to access), this is one type of tax identity theft that is nearly impossible to prevent. However, employers can help by ensuring employees are notified when login information is available for an external site containing sensitive data — and employees can help themselves by logging in as soon as possible and changing their password or PIN to something strong and secure. As always, filing your taxes as early as possible (ideally, once you’ve received your W-2 and other necessary forms) is one of the best ways to head off wannabe tax return fraudsters — if your taxes are already filed, they won’t be able to do anything with the information they’ve got (at least, not when it comes to stealing your refund). Find out how to get a jump start on next year’s tax season now.

Another way to protect yourself from all kinds of identity theft and make sure you’re in good hands in the event an account is opened in your name or some other kind of negative event occurs as a result is to sign up with an identity theft protection service. Not only do the majority of these services continually monitor the Internet black market, public records and other sources on the lookout for your personal information being traded, sold or misused, but most provide updated copies of your credit reports so you can check for errors that could indicate your identity has been compromised. Additionally, should you become a victim of identity theft, the identity restoration services provided by an identity theft protection service ensures you don’t have to walk through the process alone.

Learn more about how these services work by reading our identity theft protection reviews, and follow our blog for tips and information on protecting your identity and personal information all year round.