The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Friday, February 25, 2005

Incident: Online payroll service discloses W2 forms of thousands of US workers 

Slashdot has a discussion of yet another incident that has resulted in the potential exposure of highly sensitive personal information of thousands of Americans: from the that-why-we-use-these-password-things dept.

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

For Canadians, W-2 forms are the same as our T4 tax forms that employers issue, which includes the name, address, social insurance number, income, deductions, etc.

A summary of the problem is reported in a Think Computer Whitepaper:

It is this feature of the PayMaxx system that is gravely flawed. While PayMaxx’s programmers took care to ensure that their system’s authentication software worked well, they took less care to protect the code that dynamically generated form W-2, and each form includes a person’s home address, aggregate payroll, and Social Security number. Perhaps the team that created it lost sight of the sensitivity of this information; as a programmer, it is easy to become focused on the detailed mechanisms that make your program work and forget about the “big picture,” but in any event, it is still not a very good excuse. The result of this mistake was that when Pay-Maxx announced the availability of 2004 W-2s on-line, the home address, aggregate payroll, and Social Security number of each and every one of PayMaxx’s customers became available to us here at Think. By simply changing one number in a hyperlink on PayMaxx’s “secure” web site, it was possible to scan through PayMaxx’s entire W-2 database for the year 2004.

PayMaxx stored each employee’s data record sequentially in a table—a perfectly normal and acceptable practice, and one that Think uses frequently in its own software, but also one which made it possible to always guess the ID of the next record by simply adding 1. In software based on the Think Lampshade platform, each HTTP request is checked against a security array to verify that the user signed in actually has access to the data being requested. In PayMaxx’s software, this process simply didn’t exist. Anyone with access to the system could view the W-2s of employees with whom they had had no connection whatsoever. Furthermore, by simply subtracting the first ID from the last ID that allowed this behavior, it was possible to ascertain the number of W-2 forms that PayMaxx had printed for the 2004 tax year: 25,468. In other words, a glitch on a single web page made it possible to access the Social Security numbers and salaries of 25,468 individuals nationwide.

Update: CNet news is reporting that PayMaxx has closed its service while it figures out how to fix the problem - Payroll site closes on security worries CNET


Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs