santiago silver - Fotolia
ComplyRight data breach affects 662,000, gets lawsuit
ComplyRight, an HR and tax services firm, was hit with a data breach that affected 662,000 people. It has also prompted a lawsuit by a person whose data was breached.
A data breach at ComplyRight, a firm that provides HR and tax services to businesses, may have affected 662,000 people, according to a state agency. It has also prompted a lawsuit, which was filed in federal court by a person who was notified that their personal data was breached. The lawsuit seeks class-action status.
The ComplyRight data breach included names, addresses, phone numbers, email addresses and Social Security numbers, some of which came from tax and W-2 forms.
ComplyRight's services include a range of HR products, such as recruitment, time and attendance, as well as an online app for storing essential employee data. This particular attack was directed at its tax-form-preparation website. Hackers go after customer and employee data. The Identity Theft Resource Center 2018 midyear report, for instance, lists every known breach so far this year. It said the compromised data is a shopping list of HR managed data.
Company: No more than 10% of customers affected
The breach occurred between April 20 and May 22, and the company notified affected parties by mail.
ComplyRight, in a posted statement, said "a portion (less than 10%)" of people who have their tax forms prepared on its web platform were affected by a cyberattack, but it did not say how many customers were affected by its breach. The company knows the data was accessed or viewed, but it was unable to determine if the data was downloaded, according to the firm's statement.
But the state of Wisconsin, which publishes data breach reports, has shed some light on the scale of the impact. It reported the ComplyRight data breach affected 662,000 people -- including 12,155 Wisconsin residents. A spokesman for Wisconsin Department of Agriculture, Trade and Consumer Protection said this figure was provided verbally to the state by an attorney for ComplyRight.
Rick Roddis, president of ComplyRight, based in Pompano Beach, Fla., said in an email that the firm won't be commenting, for now, beyond what it has posted on the site.
Among the steps ComplyRight said it took was the hiring of a third-party security expert who conducted a forensic investigation. The firm is also offering credit-monitoring services to affected parties.
Security expert Nikolai Vargas, who looked at the firm's statement, said ComplyRight "is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident."
"In cases of a data breach, it is important to disclose how long the exposure occurred and the scope of the exposure," said Vargas, who is CTO of Switchfast, an IT consulting and managed service provider based in Chicago. ComplyRight stating that "less than 10%" of individuals were affected "doesn't really explain how many people were impacted," he added.
"Technical details are nice to have, but they're not always necessary and may need to be withheld until protections are put in place," Vargas said.
Federal suit alleges poor protection
Nikolai VargasCTO at Switchfast
The ComplyRight data breach was reported by Krebs on Security, which had heard from customers who had received breach notification letters.
Susan Winstead, an Illinois resident, received the notification from ComplyRight on July 17, outlining what happened. She is the plaintiff in the lawsuit filed July 20 in the U.S. District Court for the Northern District of Illinois.
The lawsuit faults ComplyRight for allegedly not properly protecting its data and not immediately notifying affected individuals, and the suit seeks damages for the improper disclosure of personal information, including the time and effort to remediate the data beach.
Company faced difficult detective work
Another independent expert who looked at ComplyRight's notice, Avani Desai, said the company "followed best practice for incident response."
With a cyberattack, one of the most difficult processes initially is identifying that there was an actual attack and the true extent of it, said Desai, president of Schellman & Company, a security and privacy compliance assessor in Tampa, Fla. It's important to ask the following questions early: Was there sensitive information that was involved? Which systems were exploited? The firm quickly hired a third-party forensic group, she noted.
"ComplyRight locked down the system prior to announcing the breach, which is important, because when organizations announce too quickly, we see copycat attacks hit the already vulnerable situation," Desai said.
Mike Sanchez, chief information security officer of United Data Technologies, an IT technology and services firm in Doral, Fla., said the things the firm did right are "they disabled the platform and performed a forensic investigation to understand the cause of the breach, as well as the breadth of the malicious actor's actions."
But Sanchez said the firm's statement, which he described as a "very high-level summary," lacked many specifics, including the exact flaw that was used to gain access to the data.
The Identity Theft Resource Center reported that as of the six months of this year, there were 668 breaches exposing nearly 22.5 million records.