Employees at U.S. Bank and several other companies that use ADP for payroll and human resources management had their identities stolen by hackers, cybersecurity blogger Brian Krebs reports.

According to Krebs's blog, more than dozen of ADP's corporate customers published sensitive account information online, a mistake that helped the thieves create individual accounts with ADP and then steal employees' W-2s.

The W-2 hack has been popular with cybercriminals this year because the tax documents have all the information needed to file false tax returns and commit other identity-related crimes.

Aaron Gogley, a special agent for the FBI's Houston Cyber Task Force, told Inc. in April that many companies do not adequately secure their employees' W-2s.

"For criminals, the W-2 is the crown jewels," Gogley said. "For companies, the W-2 is an overlooked area because most organizations think their crown jewels are their products or trade information."

The IRS hasn't disclosed how many fraudulent returns have been filed this year, but dozens of companies have fallen victim to the W-2 breach, including data storage firm Seagate, social media platform Snapchat, and Inc.'s parent company Mansueto Ventures.


U.S. Bank spokesman Dana Ripley confirmed the incident, saying the company is not sure how cyber crooks originally obtained employee personal information to create fraudulent accounts with ADP.

About 2 percent of U.S. Bank's 67,000 employees had their tax and salary data stolen, Krebs writes. The criminals seemed to already have the employees' names and other personal information needed to set up the ADP accounts they used to steal the W-2s. ADP tells Inc. that the personal information did not come from a leak on its end.

"ADP has learned of a small number of clients whose employees have been victimized by fraudulent registrations through a self-service registration portal," Dick Wolf, senior director of ADP's corporate communications department, writes in an email. "Any potential exposure of W2 information was limited to individuals who have had their personal information compromised previously (unrelated to ADP) based on ADP's investigation to date."