Network News

X My Profile
View More Activity

PayChoice Suffers Another Data Breach

Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.

Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.

"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.

This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.

The statement sent to customers Thursday said that in this week's attack the thieves appear to have stolen login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their password. PayChoice also said it has disabled the change password capability on the site until it can eliminate the vulnerability, and that it had modified all login IDs to prevent access to the site using potentially compromised credentials.

In response to questions, the company sent an e-mailed statement, attributed to PayChoice chief executive Robert Digby.

"On Thursday, PayChoice deployed additional security measures to protect client data after the company identified a key mechanism used by online attackers. PayChoice's Online Employer site was briefly taken off line after the company discovered a security breach that occurred on October 14. PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Digby wrote. "PayChoice has communicated directly with its clients with precautionary recommendations and will update them as more information is available."

Steve Friedl, a blogger and security expert who writes the Unixwiz blog and is also a consultant for Evolution Payroll - a PayChoice competitor - said the timing of this latest attack was notable: Friedl said most of the payroll industry leaders -- including PayChoice -- are busy exhibiting and attending talks at a major industry conference in Park City, Utah this week.

"The timing is impeccable," Friedl said. "Paychoice and many of their licensees are at a major payroll conference in Utah, so it's a ripe time to slip something by a short-staffed operation."

By Brian Krebs  |  October 15, 2009; 8:40 PM ET
Categories:  Fraud , Latest Warnings  | Tags: hack, paychoice  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Researcher: Hackers Hijack Some Facebook Apps
Next: Mozilla Disables Microsoft's Insecure Firefox Add-on


The internet has always been unsafe, yet American companies seem to never learn.

A standalone computer system can handle most of the functions of doing payrolls, but this is not good enough. Far better to use that cheap internet system that also has others stick the checks into envelopes and lick the envelopes closed. Let their employees do the work.

Posted by: bsallamack | October 16, 2009 1:52 PM | Report abuse

I am starting to think that the only safe way to handle financial things with a computer is to use a dedicated machine that has no internet access (and has never had internet access), *AND* to use dedicated dial-up lines directly into whatever bank/vendor you are working with. No internet, no ARP poisoning, no MITM.

To reduce bandwidth requirements, custom applications would be used that would handle the communications.

Most banks no longer have a modem banks. When you start to see them putting them back, you will know that the internet has been abandoned for serious work.

Posted by: jackrussell252521 | October 16, 2009 5:01 PM | Report abuse

And next they want to put your medical history online. Then there will be a free for all on data theft.

Posted by: askgees | October 16, 2009 10:54 PM | Report abuse

Brian, the Microsoft Windows Presentation add-on that was installed on my Firefox browser without my permission or knowledge is reported to be a security threat (drive-by malware downloads). Would you please report on your take on this? Thanks for your advice and discussions on WaPo.

Posted by: VeronaItaly | October 17, 2009 1:25 AM | Report abuse

The Microsoft Windows Presentation add-on wasn't installed by a drive-by. Windows Update pushed it, and it turns out to have some vulnerabilities, so Mozilla disabled it:

Posted by: jackrussell252521 | October 17, 2009 9:56 AM | Report abuse

Veronaitaly -- We should be publishing a blog post on that very topic within the hour. Thanks for your interest.

Posted by: BTKrebs | October 17, 2009 5:54 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company