It has been reported that cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardised sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.
Florida-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach.
Ryan Wilk, Vice President at NuData Security:
“One of the many dangerous things about breaches is the amount of time it takes for companies and end users to know their data is out in the open. From the moment a breach happens, hackers have ample time to broker the stolen names, Social Security numbers, tax data and other identifying information on the dark web – leaving customers and employees open to the impacts of identity theft.
“This breach underscores once again, for merchants and financial institutions, that mere reliance on passwords and usernames is insufficient to protect their organisation and their customers from online fraud. It’s past time for every organisation handling sensitive data to lock down their security, and to stop relying personally identifiable information to verify users – which is easily stolen and easily reused.
“Many companies are implementing multi-layered solutions with passive biometrics and behavioural analytics to leverage behaviour patterns and hundreds of other indicators to confirm legitimate users with true accuracy. This way companies don’t rely on the credentials and sensitive data exposed in breaches.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.