An unknown number of current and former employees of credit reporting firm Equifax received W-2 forms in the mail with their Social Security numbers visible through a window on the envelope, CNET has learned.
Equifax became aware of the problem on January 19 and informed employees in a letter dated January 27, according to a copy of the letter obtained by CNET.
Specifically, some of the tax forms mailed by Equifax's payroll vendor through the U.S. Postal Service had the Social Security number in a Control Number field, which was partially or fully viewable through the return address window, Coretha Rushing, chief human resources officer at Equifax, wrote in the letter. "Control Numbers were intended to be a unique number, not a SSN," she said.
"I am sending this communication to make you aware of this unfortunate occurrence," Rushing wrote. "We apologize for the incident and we are exploring various avenues so this does not happen again."
In the meantime, Equifax will offer a free one-year subscription for its Credit Watch Gold monitoring product to anyone who is concerned about the risk of identity fraud, Rushing offered.
ADP, which issued the tax forms for Equifax', said it had informed Equifax of the situation.
"This was an isolated incident and we immediately took the appropriate steps to ensure that this does not occur again in the future," an ADP spokesperson said in a statement. "The privacy and security of our clients' information is something we take very seriously."
An Equifax employee whose Social Security number was exposed in the mailing said that Equifax was negligent in its responsibility to protect employee data, which reflects poorly on its reputation as a company that helps consumers protect themselves against identity fraud.
"If they can't do this internally how are they going to be able to go to American Express and other companies and say we can mitigate your liability?...They are first-hand delivering information for the fraudsters out there," said the employee, who asked not to be named. "It's so terribly sad. It's just unacceptable, especially from a credit bureau."
Rushing referred a call seeking comment to another Equifax representative who returned a call and left a message for CNET on Wednesday night but did not return repeated calls on Thursday.
Data breaches happen all the time, and even data leaks through mailings aren't uncommon, said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. Recently a California state agency sent some government workers letters in which their Social Security numbers were exposed, he said.
"One could say that Equifax employees are uniquely in a position to know the value of maintaining the confidentiality of their Social Security numbers, so it certainly is somewhat ironic that they would be the individuals who had their data compromised, by their own employer no less," he said.
Individuals concerned about identity fraud after data leaks, Stephens said, should sign up with a service that monitors activity on all three credit bureaus: Equifax, Experian, and TransUnion. For people who want to be "super careful" he recommends they place a security freeze on their credit reports so that even if fraudsters have the Social Security number they won't be able to open any new accounts in the victim's name.
Separately, hackers broke into the network of benefits and payment system provider Ceridian in December, exposing Social Security numbers and in some cases bank account information and birthdays of possibly several thousand people, according to a report Wednesday in ESecurityPlanet.
A Ceridian spokesman did not return repeated calls or an e-mail seeking comment.
Update 12:20 p.m. PSTwith ADP comment.