Payroll firm pulls Web services, citing data leak

PayMaxx shuttered additional online services this week, after a Web programmer continued to find holes in the system.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Service provider PayMaxx shuttered additional parts of its online payroll site this week, after a Web programmer continued to find holes in the system.

PayMaxx's further closure of its Web services comes after a Web programmer, Aaron Greenspan, discovered that the company's initial attempt to block malicious access had fixed some flaws but left others unresolved.

While still referring to the data leak as "limited in scope," the online payroll processor closed down its PayView and Instant W2 services, the company said in a statement. The services will remain down until PayMaxx has completed a thorough security analysis and redesigned the site's architecture.

"We have sent all clients and key partners e-mails alerting them to the situation, and we are contacting the companies we believe may have been potentially affected by the hacking," PayMaxx said in a statement sent to CNET News.com.

The dispute between PayMaxx and Greenspan, president of Web services start-up Think Computer and a former PayMaxx customer, over the security of the company's Web site continued this week. PayMaxx referred to Greenspan as a "hacker," while the Web programmer maintained that the security problem is far worse than divulged by the payroll company.

The data leak comes at a time when several high-profile attacks have Congress looking into further legislation to protect people's private information. In February, data aggregator ChoicePoint warned that almost 150,000 consumer files had been compromised by scam artists who had set up fake companies to garner identity information. Last week, financial services giant Bank of America alerted government workers that backup tapes containing their information had gone missing.

Greenspan said he uncovered the problem with PayMaxx's Web site about three weeks ago and tried to contact the company. He said PayMaxx did not respond, so he posted a report detailing the flaws. That prompted PayMaxx to shut down its Web service for retrieving W2 information. Greenspan continued to prod the site's security and discovered more vulnerabilities this weekend, he said.

Greenspan said his attempts to find flaws in the site have been motivated by protecting his own information, from when Think Computer was a client of PayMaxx. "Think had an obvious interest in seeing that the problem would be resolved properly since its own data was stored in the affected systems," he said in an e-mail interview.

PayMaxx does not agree. The Web programmer has been far too intent on poking holes in the company's systems and has "numerous inaccuracies" in his report, PayMaxx said in a statement. The company did not specify which parts of his report were incorrect.

"We believe the hacker has violated federal law and we will take whatever action is necessary to protect the interests of our clients and our company," the company said.

PayMaxx has contracted an outside security company to test its Web applications' security and has ordered additional hardware and software to better detect intrusions, PayMaxx said in a statement.