https://krebsonsecurity.com/2021/07/intuit-to-share-payroll-data-from-1-4m-small-businesses-with-equifax/ Advertisement [120] Advertisement [114] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax July 1, 2021 11 Comments Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month. Intuit says the change is tied to an "exciting" and "free" new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit. [qop-tosdelta] "In early fall 2021, your QuickBooks Online Payroll subscription will include an automated income and employment verification service powered by The Work Number from Equifax," reads the Intuit email, which includes a link to the new Terms of Service. "Your employees may need to verify their income and employment info when applying for things like loans, credit, or public aid. Before, you likely had to manually provide this info to lenders, creditors or government agencies. These verifications will be automated by The Work Number, which helps employees get faster approvals and saves you time." An Intuit spokesperson clarified that the new service is not available through QuickBooks Online or to QuickBooks Online users as a whole. Intuit's FAQ on the changes is here. Equifax's 2017 megabreach that exposed the personal and financial details of 145.5 million Americans may have shocked the public, but it did little to stop more than a million employers from continuing to sell Equifax their employee payroll data, Bloomberg found in late 2017. "The workforce-solutions unit is now among Equifax's fastest-growing businesses, contributing more than a fifth of the firm's $3.1 billion of revenue last year," wrote Jennifer Surane. "Using payroll data from government agencies and thousands of employers -- including a vast majority of Fortune 500 companies -- Equifax has cultivated a database of 300 million current and historic employment records, according to regulatory filings." QuickBooks Online user Anthony Citrano posted on Twitter about receiving the notice, noting that the upcoming changes had yet to receive any attention in the financial or larger media space. "The way I read the terms, Equifax gets to proactively collect all payroll data just in case they need to share it later -- similar to how they already handle credit reporting," said Citrano, who is founder and CEO of Acquicent, a company that issues non-fungible tokens (NFTs). "And that feels like a disaster waiting to happen, especially given Equifax's history." In selling payroll data to Equifax, Intuit will be joining some of the world's largest payroll providers. For example, ADP -- the largest payroll software provider in the United States -- has long shared payroll data with Equifax. But Citrano said this move by Intuit will incorporate a large number of fairly small businesses. "ADP participates in some way already, but QuickBooks Online jumping on the bandwagon means a lot of employees of small to mid-sized businesses are going to be affected," he said. Why might small businesses want to think twice before entrusting Equifax with their payroll data? The answer is the company doesn't have a great track record of protecting that information. In the days following the 2017 breach at Equifax, KrebsOnSecurity pointed out that The Work Number made it a little too easy for anyone to learn your salary history. At the time, all you needed to view someone's entire work and salary history was their Social Security number and date of birth. It didn't help that for roughly half the U.S. population, both of the pieces of information were known to be in the possession of criminals behind the breach. Equifax responded by taking down its Work Number website until it was able to include additional authentication requirements, saying anyone could opt out of Equifax revealing their salary history. Equifax's security improvements included the addition of four multiple-guess questions whose answers were based on publicly-available data. But these requirements were easily bypassed, as evidenced by a previous breach at Equifax's employment division. The Work Number is a user-paid verification of employment database created by TALX Corp., a data broker acquired by Equifax in 2007. Four months before the epic 2017 breach became public, KrebsOnSecurity broke the news that fraudsters who specialize in tax refund fraud had been successfully guessing the answers to those secret questions to reset TALX account PINs, which then let them view past W-2 tax forms for employees at many Fortune 500 companies. Intuit says affected customers that do not want this new service included must update their preferences and opt-out by July 31, 2021. Otherwise, they will be automatically will be opted in. According to Intuit, customers can opt out by following these steps: 1. Sign in to QuickBooks Online Payroll. 2. Go to Payroll Settings. 3. In the Shared data section, select the pencil and uncheck the box. 4. Select Save. This entry was posted on Thursday 1st of July 2021 02:56 PM A Little Sunshine The Coming Storm Acquicent ADP Anthony Citrano Equifax Equifax breach Intuit Intuit Online Payroll Quickbooks Payroll TALX The Work Number [119] Post navigation - We Infiltrated a Counterfeit Check Ring! Now What? 11 thoughts on "Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax" 1. Nobby Nobbs July 1, 2021 Thanks for the heads-up, Brian. I hope they get massive push-back on this. Reply - 2. Apollo July 1, 2021 Criminals are also celebrating this news. That is a treasure trove of data waiting to be stolen. Sales and Marketing Departments will never see eye to eye with their Risk/Fraud/Cyber Security counterparts. Reply - 3. BoKnows July 1, 2021 Who voted to put all of our financial data in the hands of the inept? We truly live in the dumbest system. Reply - 4. Rich W July 1, 2021 Suppose you're an employee at a business that is using Intuit (or previously employed). Can I, as an employee, opt out of this? I tried logging into the site and it gave me an "Access denied" message. I'm ASSUMING that this means I cannot opt out of the program. Of course, this may be a moot question since they can say anything and do with my data whatever they want to, even if I can somehow opt out. Reply - 1. BrianKrebs Post authorJuly 1, 2021 As I understand it, the decision is up to whoever administers the payroll account for the small business. AFAICT, there isn't a way for individual employees to opt out. Reply - 5. Anne D Knight July 1, 2021 So glad I'm retired! Reply - 6. Tiny Naylor July 1, 2021 I don't understand how anything positive could result from this kind of information sharing. For example, it's 100% legal in most places in America for someone who owns a small business to hire their relatives to work for them. I started working in a family owned store when I was 10 years old. All I can foresee is headaches for the business owner and the employee if they don't meet the expected standards. Reply - 7. Jeff Strubberg July 1, 2021 As long as it's legal to monetize the personal data of others, this will continue. You can lay 95% of personal data loss directly at the feet of marketing. Reply - 8. Security and Privacy guy July 1, 2021 California residents may be able to prevent this. If Intuit hasn't changed, and sought permission for, the change in processing from the owners of the data, they could be laying themselves open to a lot of private Rights of Action under CCPA or CPRA. I think they're trying to release the information as fast as possible to slide under the wire of CPRA effectivity, which is exactly as underhanded as I'd expect Equifax to be. Reply - 9. Houston Vanhoy July 1, 2021 Q: What could possibly go wrong? A: Anything that you can imagine, and much more - Murphy's Law in full force. Thank you for keeping us informed, Brian. Reply - 10. Scott July 1, 2021 Equifax, et al. is likely asking small employers to unwittingly violate the data security and privacy rights of the states in which they operate. There are many states with new and expanding requirements for employers and business to provide "due care" to safeguard customer and employee data! Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Advertisement [115] Advertisement [117] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax * We Infiltrated a Counterfeit Check Ring! Now What? * MyBook Users Urged to Unplug Devices from Internet * How Cyber Sleuths Cracked an ATM Shimmer Gang * How Cyber Safe is Your Drinking Water Supply? Spam Nation Spam Nation A New York Times Bestseller! All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security