February 25, 2005 6:06 PM PST

Payroll hole exposes dozens of companies

The payroll records of at least a dozen companies were exposed to the Internet by a flaw in the online W-2 service of PayMaxx, the accounting firm has acknowledged.

The flaw, uncovered by a Web application programmer this week, affected a limited number of customers, PayMaxx said Thursday in a statement sent to CNET News.com. PayMaxx closed the site Wednesday, after the researcher claimed that two security holes had exposed data on more than 25,000 people. Only six attempts to access unauthorized data were made in the week before the company shuttered the site, Tennessee-based PayMaxx said. The company said no other attempts had been made to exploit the vulnerability.

"Based on our initial analysis, the potential exposure is limited to a small number of companies and W-2 forms," PayMaxx said. "We have no evidence to substantiate that any other access has occurred."

The site remained offline on Friday.

Other companies have recently acknowledged that they may have inadvertently left consumer information unprotected. Last week, data-collection company ChoicePoint said information on approximately 150,000 subscribers was given to about 50 fake business fronts created by fraudsters. On Friday, Bank of America announced that lost backup tapes may have left as many as 1.2 million records unprotected.

In addition, cell-phone service provider T-Mobile has dealt with ongoing security problems that have led to the publication of celebrity Paris Hilton's personal information and the phone numbers of many Hollywood stars.

A description of the PayMaxx problem posted on Think Computer's Web site by Aaron Greenspan, president of the software start-up and the researcher who uncovered the flaw, said the security issues could let anyone view the W-2 forms generated for employees of PayMaxx's clients for the last five years. PayMaxx, however, disputed the report and accused Greenspan of withholding information that could have allowed it to act more quickly.

"Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible," the company said in its statement. "Consequently, we declined his offer to hire his services."

Greenspan said PayMaxx is downplaying the problems.

"Think (Computer's) personnel made far more than six attempts to test the vulnerability...indicating that PayMaxx may be either hiding or missing crucial evidence of past break-ins," Greenspan said in an e-mail interview with CNET News.com.

PayMaxx plans to notify every company affected by the flaw, the company told CNET News.com.

3 comments

Join the conversation!
Add your comment
Internet Privacy for Dummies
Somebody please send PayMaxx and Choicepoint senior executives a copy of this book ASAP.


<a class="jive-link-external" href="http://www.everett.org/work.shtml" target="_newWindow">http://www.everett.org/work.shtml</a>
Internet Privacy for Dummies

"...As the creator of the Chief Privacy Officer position, a role that is rapidly becoming common in many major corporations (including Microsoft, IBM, AT&#38;T, Bank of America, Verizon, and American Express), Ray is an acknowledged expert in corporate and e-commerce privacy-related risk management and strategy."
Posted by Stating (869 comments )
Reply Link Flag
major corporations
<a class="jive-link-external" href="http://www.analogstereo.com/suzuki_esteem_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/suzuki_esteem_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Choicepoint Fell For A Nigerian Scam
If it were not for the poor customer victims this would be laughable.
Posted by Stating (869 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.