Online payroll service provider PayMaxx shuttered its automated W-2 site on Wednesday after a researcher claimed that two security holes had exposed data on more than 25,000 people.
A description of the problem posted on Think Computer's Web site by Aaron Greenspan, president of the software start-up, said the security issues could allow anyone to view the W-2 forms generated for employees of PayMaxx's clients for the last five years.
PayMaxx did not acknowledge or deny the problems, saying that a third-party security company was investigating the allegations.
"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com. "PayMaxx has made and continues to make every effort to secure its system against any breach."
The incident comes a week after background-check provider ChoicePoint acknowledged that data thieves had created dozens of fake companies to acquire more than 145,000 records touching on the personal lives of U.S. citizens. Federal legislators are considering strong protections on identity data following the ChoicePoint leak, and a class action lawsuit has been filed in California.
Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.
Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.
The hole could have allowed employees at PayMaxx's clients to access more than 25,000 W-2 forms for last year and the W-2 forms for years back to 2000, he said.
He said his investigation revealed that PayMaxx's database contained a record for testing purposes that contained a Social Security number of 000-00-0000 and a password of all zeros. That could allow anyone to log into the site and then use the lack of authentication to sequentially download all the W-2 forms, Greenspan said.
"Anyone could have been exploiting these security issues for years, and no one would have known about it," he said.
PayMaxx confirmed that the test account did exist as described in Greenspan's paper, but took issue with other allegations. The company stated that from a review of Greenspan's paper, it had found several of his claims to be inaccurate, but did not specify which claims. While PayMaxx did not confirm the problem, the company did qualify the extent of the damage.
"Our initial analysis indicates that if Mr. Greenspan was able to improperly access any W-2 forms, a limited number of forms were accessed," the company said in the statement.
That does not contradict Greenspan's claims, since the researcher said that he had only accessed enough of the site to confirm the issue and gauge the extent of the problem.
PayMaxx charged that Greenspan had "attempted to hack" into its Web site. It said he had held back details of the alleged flaws and had requested that PayMaxx hire his company.
"Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible," the company said. "Consequently, we declined his offer to hire his services."
Greenspan acknowledged that he had given PayMaxx few details, but took issue with their lack of response to his security concerns.
"I did tell them that there was a problem, and gave them several options to deal with it, and instead they chose to do nothing," Greenspan said. "It is not my job to go around and fix problems for free."
PayMaxx declined to comment on whether it had notified any of its customers about the report of a problem. Under California's Security Breach Information Act (S.B. 1386), companies that may have leaked personal or financial data must advise their customers as soon as possible.