The Kroger/Equifax W-2 Breach: What Can We Learn from It?

On May 5, 2016, Kroger sent an email to all of its more than 431,000 current employees, as well as some former employees, letting them know that their W-2 data may have been breached. The security breach was perpetrated through Equifax’s W-2 eXpress site, which makes it “simple and fast to get an original, reprinted, or corrected W-2 online.”

Three parties are involved in and affected by this breach: Kroger, Equifax, and Kroger’s current and past employees. All the facts are not yet in, but we know enough at this point to explore the details of what happened, as well as what each party (and others like them) could do in the future to make breaches like this far less likely to happen—and less damaging when they do.

Ponemon Report: Criminals continue to target healthcare data

Breach Highlights Need to Thoroughly Vet and Audit Vendors

Kroger hired Equifax to provide its convenient, electronic W-2 system to Kroger employees. In its email to employees, the retail giant acknowledges that Equifax’s W-2 eXpress site uses default login information based on SSNs and dates of birth (according to Krebs on Security, only the four-digit birth year is needed). As this breach and others like it have shown, SSNs and birth information are relatively easy for criminals to acquire.

This serves as a good reminder that when hiring any outside contractors, companies need to thoroughly vet the vendor and ensure that stringent privacy and security protections are in place. When the vendor in question will be handling hundreds of thousands of W-2 forms containing valuable employee information, the vetting process should be especially exhaustive.

Following the vetting process, firms should insist upon creation of a detailed contract with their vendors that clearly defines the privacy and security protections that will be used. To ensure that the contract is precisely followed, firms should also follow up with routine audits of their vendors.

It may not be possible for large organizations such as Kroger to audit thousands of vendors across everything from payroll to maintenance, but the vendors that have access to the most data, and the most sensitive data, should be audited as frequently as possible to ensure that they are adhering to the terms of their contracts. At the same time, other vendors should be subject to at least occasional audits.

In addition to working with their vendors to protect employee data, firms need to educate employees on how to protect themselves from data breaches. That includes notifying employees when default logins have been established with an external site that stores or manages sensitive data. At a minimum, employees should be actively encouraged to log in immediately and change their default password or PIN.

In its letter to employees, Kroger noted that, upon learning of the breach, it had “worked with Equifax to reset the default PINs needed to access the W-2 eXpress site.” The new default PIN is the last four numbers of the employee’s Kroger EUID number and (still) their four-digit birth year. Kroger added another line in its letter that one hopes employees will take note of: “To further safeguard your personal information, please visit www.mytaxform.com as soon as possible to change and create your own PIN.”

For Vendors, Security Must Come First

Equifax is one of the “big three” credit bureaus, and as such the company’s business depends in part on its reputation as a highly trusted resource for millions of Americans. The fact that the W-2 eXpress site relied on default logins based on SSNs and dates of birth may well do great harm to the firm’s reputation.

That’s especially true because the Kroger breach is not the only one of the W-2 eXpress site. In April 2016, Stanford University told 600 current and former employees that their data had been exposed, and Northwestern University recently alerted at least 150 employees that their data had been stolen via W-2 eXpress. There could be more breach notifications to come, given that Kroger spokespeople have indicated that Equifax uses the same default PIN for all its customer companies.

The vulnerability of SSNs is well known—and is one reason that Congress is considering passage of the Medicare Common Access Card Act, which would remove SSNs from the cards of Medicare beneficiaries. According to a 2015 NPR interview with Jay Jacobs, the lead data scientist involved in Verizon’s annual breach report, an estimated 60 percent to 80 percent of all SSNs have already been stolen by hackers.

For companies like Equifax, default logins based on SSNs and related personal data are convenient and likely less expensive than other options. Ironically, they also might appeal to many users who might otherwise inundate IT help desks with calls and emails as they struggle to determine how to log in using more secure credentials. However, once a large breach (or many smaller breaches) occurs, the reputational and other costs to the company are almost certainly going to be far larger than the upfront cost of setting up a more secure solution.

What Can Employees Do?

Kroger’s current and former employees are the victims here, but that does not mean there is nothing they can do now, or could have done before the breach occurred, to protect themselves.

Any time default logins and passwords are established, users should change them immediately. Kroger’s email to employees appears to address only those employees who were using the default PIN—it is possible that those who had updated their PIN were not affected by the breach.

Another smart practice for every American is to file tax returns as early as possible, whether W-2 or other personal data has been stolen or not. Tax fraudsters cannot file false tax forms if the forms have already been filed for the year.

Kroger has indicated that it will offer free credit monitoring services to affected employees—and confirmed to Krebs on Security that the service will not be supplied by Equifax. Credit monitoring will be helpful if the criminals try to open new lines of credit using the SSNs stolen in the breach. However, comprehensive identity theft recovery support would go further to protect employees and help them recover quickly if false tax claims are filed or other fraud occurs.

Individuals or businesses can also purchase identity theft protection services that monitor the dark web, public records, and other sources to identify when personal information is traded, misused, or sold. For anyone concerned about identity theft and fraud, these services may be a wise investment.

Summary

After all the facts are collected and the finger-pointing has subsided, we will be left with the usual story of hundreds of thousands of people whose lives have been impacted by a data breach. For Kroger and Equifax—and organizations like them—as well as for the affected employees, this is one more wakeup call that data breaches happen all the time, and there is more we can all do to prevent them.

Ponemon Report: Criminals continue to target healthcare data