The Human Resources Department is normally a secure environment, very conscientious about protecting employee personal information. But to cyber criminals, HR is a treasure trove. On April 4th, 2014, KrebsOnSecurity reported of a deep-reaching scheme by an organized criminal gang that has hacked multiple Human Resource departments and filed fraudulent federal tax returns on all employees.

Stretching back to the beginning of this year’s tax filing season, organized criminals have exploited HR systems to steal all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number.  They then filed false tax returns using IRS approved online software and diverted refunds to American Express pre-paid cards, all before unsuspecting employees had a chance to file legitimately.

One web-based control panel for a tax fraud outfit tracked fraudulent returns filed on behalf of thousands of people from more than a half dozen victim organizations, totaling more than $1 million in bogus returns.

Not only was employee information stolen from breached HR departments: personal information of spouses and children were compromised as well because HR processes health insurance with that information.

Third-party providers of services such as payroll are often gateways for this kind of criminal activity. Be sure to protect your company, clients, and employees with comprehensive data security, and educate all stakeholders about their responsibility to keep their credentials under lock and key.