Payroll hole exposes dozens of companies

Flaw in PayMaxx Web site exposed the financial information of customers' workers, the payroll-services firm acknowledges.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Feb. 25, 2005 7:12 p.m. PT

2 min read

The payroll records of at least a dozen companies were exposed to the Internet by a flaw in the online W-2 service of PayMaxx, the accounting firm has acknowledged.

The flaw, uncovered by a Web application programmer this week, affected a limited number of customers, PayMaxx said Thursday in a statement sent to CNET News.com. PayMaxx closed the site Wednesday, after the researcher claimed that two security holes had exposed data on more than 25,000 people. Only six attempts to access unauthorized data were made in the week before the company shuttered the site, Tennessee-based PayMaxx said. The company said no other attempts had been made to exploit the vulnerability.

"Based on our initial analysis, the potential exposure is limited to a small number of companies and W-2 forms," PayMaxx said. "We have no evidence to substantiate that any other access has occurred."

The site remained offline on Friday.

Other companies have recently acknowledged that they may have inadvertently left consumer information unprotected. Last week, data-collection company ChoicePoint said information on approximately 150,000 subscribers was given to about 50 fake business fronts created by fraudsters. On Friday, Bank of America announced that lost backup tapes may have left as many as 1.2 million records unprotected.

In addition, cell-phone service provider T-Mobile has dealt with ongoing security problems that have led to the publication of celebrity Paris Hilton's personal information and the phone numbers of many Hollywood stars.

A description of the PayMaxx problem posted on Think Computer's Web site by Aaron Greenspan, president of the software start-up and the researcher who uncovered the flaw, said the security issues could let anyone view the W-2 forms generated for employees of PayMaxx's clients for the last five years. PayMaxx, however, disputed the report and accused Greenspan of withholding information that could have allowed it to act more quickly.

"Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible," the company said in its statement. "Consequently, we declined his offer to hire his services."

Greenspan said PayMaxx is downplaying the problems.

"Think (Computer's) personnel made far more than six attempts to test the vulnerability...indicating that PayMaxx may be either hiding or missing crucial evidence of past break-ins," Greenspan said in an e-mail interview with CNET News.com.

PayMaxx plans to notify every company affected by the flaw, the company told CNET News.com.