PayMaxx Closes W-2 Site after Security Hole Found

February 25, 2005 (PLANSPONSOR.com) - Online payroll service provider PayMaxx closed its automated W-2 site this week after a researcher claimed that two security holes had exposed data on more than 25,000 people.

Aaron Greenspan, president of Think Computer, asserted in a paper posted on his firm’s Web site that the security problems at PayMaxx allowed all site viewers view the W-2 forms generated for employees of PayMaxx’s clients for the last five years, according to a CNET News.com report.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks ago, after he received notification that his W-2 tax form was available online for download and printing. He said he found the problem when the link to access the W-2 included an ID number and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

According to the CNET News report, Greenspan found that another person’s W-2 was downloaded and readable. The vulnerability could have allowed employees at PayMaxx’s clients to access more than 25,000 W-2 forms for last year and the W-2 forms for years back to 2000, he said.

PayMaxx told CNET that a third-party security company was investigating the allegations. “No system in the world is 100% secure from a sophisticated and determined hacker,” the Tennessee-based payroll company said in a statement sent to CNET News.com. “PayMaxx has made and continues to make every effort to secure its system against any breach.”

Greenspan said his investigation also revealed that PayMaxx’s database contained a record for testing that contained a Social Security number of 000-00-0000 and a password of all zeros. That could allow anyone to log into the site and then use the lack of authentication to sequentially download all the W-2 forms, Greenspan said.

PayMaxx confirmed that the test account did exist as described in Greenspan’s paper, but took issue with other allegations. The company stated that from a review of Greenspan’s paper, it had found several of his claims to be inaccurate, but did not specify which claims.

«