Northrop Grumman can make a stealth bomber – but can't protect its workers' W-2 tax forms

'Stolen creds' used to swipe data on aerospace giant's staff


Northrop Grumman has admitted one of its internal portals was broken into, exposing employees' sensitive tax records to miscreants.

In a letter [PDF] to workers and the California Attorney General's office, the aerospace contractor said that between April 18, 2016 and March 29, 2017, crooks infiltrated the website, allowing them to access staffers' W-2 paperwork for the 2016 tax year.

These W-2 forms can be used by identity thieves to claim tax rebates owed to employees, allowing the crims to pocket victims' money. The corp sent out its warning letters on April 18, the last day to file 2016 tax returns.

"The personal information that may have been accessed includes your name, address, work email address, work phone number, Social Security number, employer identification number, and wage and tax information, as well as any personal phone number, personal email address, or answers to customized security questions that you may have entered on the W-2 online portal," the contractor told its employees.

The Stealth Bomber maker says it will provide all of the exposed workers with three years of free identity-theft monitoring services. Northrop Grumman has also disabled access to the W-2 portal through any method other than its internal single sign-on tool.

The aerospace giant said it farmed out its tax portal to Equifax Workforce Solutions, which was working with the defense giant to get to the bottom of the intrusion. "Promptly after confirming the incident, we worked with Equifax to determine the details of the issue," Northrop told its teams.

"Northrop Grumman and Equifax are coordinating with law enforcement authorities to assist them in their investigation of recent incidents involving unauthorized actors gaining access to individuals’ personal information through the W-2 online portal."

According to Equifax, the portal was accessed not by hackers but by someone using stolen login details.

"We are investigating alleged unauthorized access to our online portal where a person or persons using stolen credentials accessed W-2 information of a limited number of individuals," an Equifax spokesperson told El Reg on Monday.

"Based on the investigation to date, Equifax has no reason to believe that its systems were compromised or that it was the source of the information used to gain access to the online portal." ®

Broader topics


Other stories you might like

  • Giant outsourcer keeps work from home, loses tax breaks. Government says 'good riddance'
    Philippines says subsidies inflate profits, not local economy

    The government of the Philippines has welcomed the decision by giant business process outsourcer Concentrix Corporation to forgo tax incentives and instead allow its staff to continue working from home for the foreseeable future. The nation feels that subsidising outsourcers' bottom lines does nothing to boost the local economy.

    The Philippines imposed lengthy and strict COVID-19 lockdowns that saw its substantial business process outsourcing sector quickly adapt to working from home. The nation's government supported that move by continuing to offer the pre-COVID subsidies it offered to outsourcers that run offices located in certain special economic zones.

    Those subsidies have subsequently been removed, and the requirement to operate from special economic zones restored.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    You call this a glitch?

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The troublesome project is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • TurboTax to pay $141m to settle claims it scammed millions of people
    Might be a $30 check for you if you were screwed over by 'free, free, free' ads

    Intuit will cough up $141 million in settlement costs and has promised to not make any misleading claims about its supposedly free tax-filing software, prosecutors in the US announced on Wednesday.

    Attorneys General Letitia James in New York and Herbert Slatery III 1in Tennessee led efforts to sue Intuit for allegedly scamming taxpayers with false advertising. All 50 US states plus the District of Columbia joined the lawsuit, and accused the tech giant of luring people into using its TurboTax software on the false pretense it would be free.

    This legal action followed a probe by ProPublica in Intuit's allegedly unfair trade practices.

    Continue reading

Biting the hand that feeds IT © 1998–2022