It appears that US-based payroll services provider PayChoice has experienced the second phase of a very coordinated data attack. Last month, the company experienced a breach in which customer user names and passwords were stolen, and it appears that this information was used to trick customers into downloading malware. The download allowed criminals to add fraudulent employees and associated payrolls to the accounts of PayChoice customers. The details of the second phase of the attack are still emerging, but what happened at PayChoice shows the need to have added protection around sensitive data, even from people who are seemingly authorized to use it.
Once criminals have access to an account via an authentication method, they can manipulate the data as though they were a trusted user. Many times, the activity is not caught until well after the breach or theft has occurred because the system is operating under the assumption that it is getting orders from an authorized user. What PayChoice points to is the need to have a granular view of what is going on with data at all points and for all transactions.
With the proper controls in place, PayChoice would have been alerted to suspicious activity – in this case, apparently adding false employees to payroll accounts – and had the ability to block it.