PayChoice Suffers Another Data Breach

Via Security Fix -

Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.

Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.

"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.

This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.

The statement sent to customers Thursday said that in this week's attack the thieves appear to have stolen login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their onlineemployer.com password. PayChoice also said it has disabled the change password capability on the site until it can eliminate the vulnerability, and that it had modified all login IDs to prevent access to the site using potentially compromised credentials.

In response to questions, the company sent an e-mailed statement, attributed to PayChoice chief executive Robert Digby.

"On Thursday, PayChoice deployed additional security measures to protect client data after the company identified a key mechanism used by online attackers. PayChoice's Online Employer site was briefly taken off line after the company discovered a security breach that occurred on October 14. PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Digby wrote. "PayChoice has communicated directly with its clients with precautionary recommendations and will update them as more information is available."

Steve Friedl, a blogger and security expert who writes the Unixwiz blog and is also a consultant for Evolution Payroll - a PayChoice competitor - said the timing of this latest attack was notable: Friedl said most of the payroll industry leaders -- including PayChoice -- are busy exhibiting and attending talks at a major industry conference in Park City, Utah this week.

"The timing is impeccable," Friedl said. "Paychoice and many of their licensees are at a major payroll conference in Utah, so it's a ripe time to slip something by a short-staffed operation."