Wife started a new job, identity was stolen a week later.

Wife started a new job, identity was stolen a week later.


You'll want to put a fraud alert on each of you credit reports as well as freeze them. May also want to do a police report as well as notify the FTC. You'll want to go through and secure and close the new accounts that were opened as well as inform each institution. Http://www.IdentityTheft.gov has some good resources and more thorough tips. Good luck!


Police, police, police. If there's a pattern, it's more likely than not they can get to the source. For crying out loud, HR should've made that call at employee #2 or at worst #3 to report this.


This is assuming that the HR person isn’t the one selling the info.


Not enough people consider internal actors. Cant tell you the number of low level employees supplementing their pay with people's identity


> Cant tell you the number of low level employees supplementing their pay with people's identity My SO's aunt was a manager at a local restaurant. One day she was approached by the owner and a detective. Turns out they had narrowed a pattern down to their restaurant being charged frequently before lots of ID theft. So she worked with them and set up a covert surveillance system after hours. Within a week they had caught one of the bartenders copying Driver's ID and Credit card info down.


It's crazy how many people are overly cautious about using a credit card online, even with reputable vendors, but will hand it to a bartender, waiter or fast food employee (who just needs to run to the other terminal out of sight because this one isn't working at the moment) without a second thought.


What are we supposed to do? Stop using our cards until they implement wireless POS card readers in the US like they do in civilized countries? The CC companies would rather pay the cost of the fraud than upgrade their systems.


The US doesn't have wireless card readers? ...why?


We do, but they aren't required. They are around, but if they aren't no one really bats an eye. As that poster said CC companies are really the ones that bear the cost as they reimburse almost immediately. So it most likely does not yet cost them enough for them to force the issue with vendors.


Cc companies are not liable for charges made with magstripe afaik. The merchant is liable for charge backs due to fraud on magstripe and manual entry. Also is worth noting that some places in the US do have chip readers at the table but it's not common.


We do, just not ubiquitously. America does very little universally. There's several decades of POS technology being used simultaneously.


I actually like using my apple credit card, because it doesn’t even have physical numbers written on the card anywhere. It’s just totally blank. If I want the actual number, I need to use my phone, (and get past a password prompt) to see it. The only info permanently engraved on it is the card issuer (MasterCard) and my name.


Technically, the card issuer (the entity that gave you the card) is Apple. Mastercard is the card network.


The bank is technically Goldman Sachs, not Apple (not that they couldn't afford it tbh...) I like my Apple card as well.


This is why I prefer to use cash for smaller IRL transactions. You can't steal identity from it.


Can’t steal your identity from a CC number either. Just call report it, they will refund any charges and send over a brand new card. You need SS #, drivers license #, home address etc to steal someone ID.


Exactly. My card number has been stolen twice in the past 10 years, but was only mildly inconvenient to replace and had no lasting consequences. Plus I use a rewards card that gives me 1.5% minimum cash back on every single purchase I make. Why would I not use it any time I can?


This is how my identity was stolen at a Moe's Southwest Grill. Want to know how I know? The employee was dumb enough to buy plane tickets IN THEIR NAME with my credit card. Cops tracked them down and they were employed at the Moe's I ate at a week before my identify was stolen......


This. I used to work at a pizzeria. People gave me their credit card numbers countless times over the phone without a second thought


Internal actors can go well beyond just "that one HR person", but that still doesn't dismiss her as a potential source. Does OP's wife's new company do their payroll internally or do they use a 3rd party vendor? If the former, then anyone in the payroll department, people in IT, and anyone who has access to the files of the payroll department could get access to these peoples' information. If it's a 3rd party vendor, then that company could have access to this information as well. Does the job offer benefits, a 401(k) , a pension, or even a gym membership? The vendors providing these services also potentially have access to these peoples' personal information. Was she hired directly by the company, or did she go through a recruiter? Did she provide the recruiter with private information such as her SSN to streamline applications? That's another potential leak. Does the HR department observe secure file retention and shredding policies, or do they throw files into a wastebin out back? That's another potential breach of privacy. Did the HR department have any business computers or flash drives reported stolen somewhere between your wife being hired and this stuff going down? That could also do it. Does HR follow and stick to a clean desk policy (no personal information left on desks after hours)? If not, even the cleaners could potentially pick up on that kind of personal information. ​ And that's all off the top of my head.


That third party transfer could easily be the cause. My data was exposed a few months back when the state auditors office used one with an unpatched vulnerability. It doesn't help that they used a "select all" query for the PII table when they started searching, either.


We had a lady handling HR for a while that created a handful of fake employees in the system and was cashing their paychecks. She got away with it for surprisingly long.


In business school they were telling us how companies have started forcing mandatory vacation time because a higher up at an airline was doing the same thing and he wouldn’t take vacations so he could control the situation. When he was on a forced vacation the person doing his work for the time noticed a discrepancy with multiple employees having the same bank account number and that’s how he got caught. Interesting stuff, it’s hard to imagine it because we don’t think like criminals do but they really will find a way for an extra buck


In cybersecurity there are best practices taught such as mandatory vacation, rotations, and splitting job responsibilities so that no one person can do too much. For example, one person cannot both create a new employee in the system and add their bank credentials. This way two people have to be complicit which reduces the risk.


The would probably prevent 99% of attempts. But if they ever are complicit, they could potentially get away with it for a long time.


Yes, but you combine all of these things. Some organizations are too small where some employees will just have a lot of responsibilities, but for best practice you have 'defense in depth.'


Sure, but the point is that you just prevented 99%


> In cybersecurity there are best practices taught such as mandatory vacation I just realised there is an actual security reason why when I was in the military you get an inquiry called on you if you don't clear your annual leave and it isn't just because of labour law requirements.


This happened at the county I live in and she got busted after stealing over a half million dollars.


In my case she was related to the owner so she only got fired.


This is a common occurrence. You'll find many stories like this.




More concerning is that they even put that info into an email.


I gave my social to a guy working at payflex to look up my HSA information. I felt stupid the moment I gave it instead of asking for an alternative verification method. Someone bought 6 iPhones the next day. I knew it was the rep from Payflex and called back. They told me that reps are not even suppose to ask for social.


I'm a network engineer. The largest threat to my company's network is its employees. I can put all the fancy security I want on it but I can't stop someone that's already on the inside from doing their job. And if that job is accessing HR or financial data, well, they're going to get it.


And cat videos. You can NEVER stop the cat videos, employees will always find a way


Worked for one place that had so many pain in the ass security measures on their WiFi that I went a couple weeks assuming the ethernet ports all over the place were at least disconnected or firewalled...nope. Anybody could walk into the lobby, break room, shipping/receiving waiting area or front conference rooms (which local organizations were often allowed to use pretty much unsupervised other than the guard signing them into the property) with a laptop, plug into one ports there and be right on the network, bypassing the WiFi's passwords, MAC address restrictions and login screen. "So what stops anybody from just plugging in their own WiFi router?" "Why would they even think to try that?" "Well, I just did." "We'd spot it right away." "No, I mean I just did. You haven't spotted it yet. It's secured and restricted to my tablet's MAC address, so I'm leaving it until you manage to do something about it." (I'd already cleared this with the plant manager.) They finally found it, physically, (it took them that long to figure out that fake potted plants don't need power and ethernet - the cables were in plain sight) after three days, and the IT "security expert" who set up those policies was replaced by the end of the month.


Security Engineer here :)


Wow, I never realized people did this. That's disturbing.


What’s really disturbing is when you find out the absolutely miniscule amounts of money these people do it for.


I was in charge of balancing cash and deposits each morning at a restaurant, and one time it was $20 short. The owner (jokingly) said "did you steal it?" After I replied "dude, we're sitting here with over $5,000 in cash. If I'm gonna steal, it's going to be a lot more than $20," he told me he wasn't sure if he should be more worried or relieved.


"Would I have mentioned that we were $20 out if I was stealing from you?"


Had a coworker at a bank get caught: dumbass was taking new signups, entering them as referrals, siphoning off the $25 referral bonus to an account under a stolen identity, then going back after a week or two and clearing out the referral info before anyone noticed...except that any time a field was cleared, it was logged. (For other reasons, but the logger checked all fields, so referrals got included anyway.) For less than $800 that he hadn't even pulled out of the catching account yet, dude got escorted on his walk of shame out of a job paying around $750/week (take home amount if you had the good insurance and maxed out the matching on your 401(k) - and minimum wage was still $5.15 at the time) by two Federal Reserve officers, a Texas Ranger and a local sheriff's deputy. The Fed don't fuck around.




I’ve never had a teller not count the money in front of me before they hand it over or put it in an envelope. It’s good policy for them, too, because security cameras will show they handed the right amount over to the customer!


That was my first red flag too. They always count it out in front of you, then it goes straight into the envelope without leaving your sight. FWIW, this is exactly why I always pull it out and count it in the drive through tube as well. People behind me can wait; I’m counting that shit before I leave, so the camera has me pulling it out of the envelope and counting it right then and there.


A guy I worked retail with would do a return for a customer, then a little later he would void the return, and then run the refund to his own card. He didn't think the refund to his card would be traceable since the original refund went to the cardholder's card number first. He didn't think they would be able to see the subsequent refund after the void. While the job was retail, he worked in a commission department and made pretty good money every week. He didn't get away with much and he got arrested in front of a bunch of customers. He definitely was not the sharpest tool in the shed.


Hmm. If he had stood outside the bank and asked people to be referred by him, it wouldn't have been so bad, right? I guess the stolen identity part was really bad.


It's still defrauding a financial institution. The banker was on company time and stealing. If he was off of the clock and referred new customers to the bank, then that's entirely different. When you work, you probably don't decide that you should be paid more and pocket an extra $25 from the till after every task.


I had a coworker, years ago (2002-2003), that stole $350 from the company I worked for. For $350, they pissed away a job that was frankly pretty good to they're employees - if they had money issues (as I did, and as the person that stole did), they could take draws on their next paycheck, no interest or anything, for up to the amount of the (paid monthly) paycheck - and then take another draw the next month for a slightly smaller amount, and so on and so forth until it was paid in full six months later. (I did that to pay my taxes for... five years running? Something like that, at least.)


Places that have high turnover rates, I'm sure that little bit adds up quick.


This, I once had a training on insider threats, the amount of money that was given was a pittance. Sorry, if you want me to risk destroying my career and being blacklisted by my industry, you need to offer me more than a months pay.


It's also disturbing how much a miniscule amount of money can mean to a person in poverty.


It's basically a "fuck you, got mine" attitude of doing whatever you can to benefit yourself. And it's an unfortunately common mindset. And crazy enough, they do it for small pay. Like fuck, in a city near me there was a huge scandal of a military member selling secrets to the Russians, tried for treason and all that. What was the financial compensation the Russians gave? 2 grand CAD a month. Like, I worked at a call center and made that, and dude was out there committing treason against his nation without even a golden ticket to escape.


Whenever I look at something and think, you could not pay me enough to do that. (Like committing treason) the answer is always the same, the person doing it is getting paid shit.


> you could not pay me enough to do that Crime literally doesn't pay. Stats say that with very exceptionally rare statistics, you end up worse off. Sure it might help with a tight monetary spot now but you will have lower earnings for the rest of your life. I mean, take Bernie Madoff. Sure, he's one of the rare exceptions that didn't end up making less. But his wife attempted suicide, his eldest son was successful in his suicide attempt, the other son died shortly after that from cancer, and he died in prison. Sure, he might have justified it as giving his wife and kids a better life but he didn't -- it made one kid's life much worse and the other kid died anyway. In the long run, I just don't think it was worth it. And as sad as Bernie Madoff's story is, he's one of the rare "winners" -- just about everyone else ends up even worse off.


Most of the spy/treason/defector stuff I have read about is usually not done for the money, it's either idealogical (for example, believing that no one nation should have so much power, so they sell nuclear secrets to other countries to balance the scales), or they've been turned into an asset with blackmail/compromat to keep them in line. Also let's be real, if you're smart enough to ask for 7 figures, you probably also have put a lot of thought into how to hide it and are less likely to get caught.


Doesn't matter what they're paying, the moment you do it, they own you. It's never worth it.


They generally have leverage, at least some minor amount, that they inflate in such a way as to make the person feel they have no other choice. Or the person legitimately wants to help the other side.


Many years ago I had a weird situation at one of my previous jobs. One day we all got e-mails from our corporate HR/counsel (can't remember for sure) to be extremely vigilant about our surroundings, both in the office and out of office, and report any suspicious activity. Next day we noticed several "serious" people in suits lurking inside our office and randomly checking badges in hallways. Then a few days later it all stopped. Only much later I heard a rumor that a young lady who used to work in payroll accounting or some kind of other HR function and technically had an unrestricted access to ALL information about ALL company employees (financials and other information like addresses, SSNs etc.), got personally involved with some known criminal, and they conspired to steal some kind of personal information to sell it to his buddies or otherwise use for criminal purposes. When this surfaced, she got terminated on the spot and escorted out of the office, but as a precaution some extra security measures were implemented later on. I've never heard anything about that case back then and I wouldn't have even remembered about it if not for this thread...


It's the easiest way to hack or steal anything. Why spend 100k or more for a zero day when you can just get into a system with a 20k bribe.


Some lady in hr at my work just got fired for similar shady shit


Not the same thing but I've always wondered why someone is targeting people at my company with phishing emails and could never figure out why they would even bother, though I suppose that if they got the right person's credentials, they would gain access to the HR system and lots of confidential info. Man, people suck... Thankfully, our IT department finally seems to be doing something about it as lately, the phishing emails are disappearing from our inbox a few minutes after they arrive. I've reported each one to them and hopefully others did as well.


Had a smaller version of this at a restaurant recently. Restaurants were requiring customers to leave their phone number and name to dine in, there was about two weeks where I was eating out a ton and then next thing you know I’m getting the crazy Pervy spam texts of shame. F.


or the company used for background checks. You want to outsource solid there. There's a few areas where things can be leaked. Also people think email is secure, and it's not at all.


Humans are the weakest and easiest security link in any organization. One of our major hospitals in New Zealand has been brought to a halt by a ransomware attack because someone opened an email attachment.


Honestly, the companies themselves are partly to blame in this I think. I get inundated with countless internal emails that are of no use or interest to me, and spend far too many unproductive hours sorting them out and trying to find the ones I actually need to see. Upper level management produces/encourages/supports/tolerates this, so it's at least partly their responsibility if I accidentally click a malicious link when trying to get through the backlog of bullshit emails they've buried me in after a few days off.


As someone who works in the industry, companies are almost entirely to blame for this. Yes the employee shouldn't have opened the attachment (and definitely shouldn't have ran macros if it was a document), but employees are always going to get phished or otherwise practice unsafe practices. There should be training to limit this, but also the organization should be setting up security controls so that when someone is inevitably compromised, the risk is significantly mitigated. A dedicated attacker will always find a way past the perimeter, its up to the security staff to ensure that the damage is minimized.


They would be really dumb to mention that 3 other employees also reported it.


It wasn’t clear the he guy who dismissed the importance was also the one who indicated three other employees had it happen to them.


THIS! I got a Best Buy credit card for the 0% (paid it off before any interest accrued) and the guy that took my info to get the credit card IMMEDIATELY used the Credit Card number I had to give them from a current card to get the Best Buy Card to buy multiple Macy's $500 gift certificates that were immediately spent. Took me weeks to convince the MasterCard people that I didn't buy Macy's gift certificates. Cancelled the MasterCard. The HR person is in on it.


>THIS! I got a Best Buy credit card for the 0% (paid it off before any interest accrued) and the guy that took my info to get the credit card IMMEDIATELY used the Credit Card number I had to give them from a current card to get the Best Buy Card Wat? You needed a credit card to apply for a credit card?


Could also be a compromised computer, vendor or integration.


I 100% thought it's the payroll guy...


Or in on the scam with the dismissive payroll guy.


It would seem weird for the HR person to tell them that they're the fourth victim if they were the ones stealing identities.


Interesting, my experience with identity theft was right around the time I changed jobs in the mid-2000s. Someone used my Social Security Number to open a Sprint account in my name. Only accurate info was the SSN and my name. It had an address where I'd never lived and they ran up over $500 in charges, partially in calls to a country where I didn't know anyone. I reported it, just to have a police report in case it was more widespread. And froze my credit accounts.


There was a guy that had a similar job in a company that seemed to have lots of applications coming in, and he admitted to using their applications to create PayPal accounts in their names and then I think he opened credit cards, but he was playing EvE Online at the time and would buy ingame time cards and then move them around in game and sell them in game. He was in Goonswarm, one of the bigger alliances in the game and used his job to get stuff in game, and he claimed he was never caught. Not saying that's what's happening to OP here but it doesn't take a criminal mastermind to figure out how to do it, if they've got the right job.


It’s also not realizing HR’s job is to cover the company not the employee. If they can get away with sweeping someone using their position at the company to commit identity theft under the rug, great. Because at the end of the day, people being able to get out with that information reflects badly on the company if the media gets wind. HR is to protect the company from liability, not the employee from the company.


HR knowing that there is a pattern of identity theft and not reporting it *is* a liability. It looks a lot better if a company self-reports to the authorities and catches a bad actor than if employees independently file police reports and it turns out HR knew there was a pattern and didn't speak up. You're taking the phrase 'HR is not your friend' and extrapolating it to 'HR will cover up obvious criminal activity to temporarily protect the company's image' The second statement may be true at some companies, but there are plenty of HR departments that would realize getting ahead of a story like that is a great way to avoid becoming known as the 'identity theft' company on Glassdoor.


Feel like the police are only useful in documenting the event but not really solving it. At least based in the other posts I’ve seen about identity theft. At the end of the day, a police report is useful.


> The HR woman told her she is 1 of 4 new employees that reported the same issue.(...) >Also, the payroll guy at my wife's new job is completely dismissing the issue, pretty much saying it's not his fault. Well, that doesn't sound suspicious at all! Sounds like they should evaluate for a data breach from someone in the company. Seconding those recommending credit alerts/freezes etc. just to be safe.


The police do not care. There is no utility to trying to convince them, get the paperwork you need and be done with it. Identity theft sucks and fixing it will take dozens of unpaid hours, no need to add more to the mix.


If the police think it's worth their time


Is there a particular reason you would want both a credit freeze and a fraud alert, and not just a credit freeze?


Thank you for the link!


Definitly close the new accounts


Are there other payroll / hr people at the company? Is there someone above the person you talked to? Do they know about the issue? Are portions of the processed outsourced? If 4 new people have had their identity stolen it needs to be run up the chain of command to whoever is running the place *right now* and it should be investigated. If you have to be the one to do it don’t hesitate. If they’re not going to do anything about it you should talk to a lawyer and probably the police and start looking for a new job ASAP.


Agreed. Whether or not it was an "inside job" or negligence, the fact that it's happened to multiple people at the same company means at the very least, personal and financial information is not secure.


Probably the dumbest outcome is someone from HR or payroll is using their information to sign people up for Robinhood with their link so they can get a free stock out of it.


I’ll guess incompetence and that all the employees were impacted - but they haven’t figured it out yet


My money’s on Payroll Guy


IT guy probably also has access


Cool, you can pick him cause I already called Payroll Guy


The payout odds are great if you want to place along bet on the janitor or cafeteria lady


And whoever compromised the hr computer. This also has a rather strong fingerprint of it being Network infiltration.


For sure. If 4 people's identities were recently stolen from the system you manage, and you aren't concerned about it - it's because you did it.




>run up the chain of command HR's boss needs to know what is happening, this is a huge potential liability for the company if it's an internal leak / inside job.


I'm shocked the HR person actually said anything close to "yes, we've noticed this is a pattern." That's about as close to admission of liability as you can get with out saying "WE'RE RESPONSIBLE 100%" outright


Plenty of people go to work, not all of them do their job


Email HR, CEO, and compliance (if you have that department...) in a professional manner but immediately


In case the CEO and HR are dismissive, the departments who SHOULD know what to do are: * **Compliance Dept** (as the prior comment mentioned) * Legal * Ombudsman's Office (if you have one) * **I.T. / Security** Some of these may be combined as one dept, with one head, like my employer.


If an organization is large enough, they probably have some Compliance Hotline setup. Highly recommend giving them a call. Most frauds were uncovered due to tips like this. Please speak up


Did she have a pre-employment background check done? If she did and it was sent to a business that handles those for them, they probably have enough information to answer KBA authentication/ security questions.


I'm not sure if this would be the HR, Payroll, or someone with the company who does their background checks. Regardless this is a huge red flag and the company should be conducting an audit/investigation. If this is a large To medium company find the corporate ethics line and call someone. Consider contacting the state Attorney General's office and/or Labor & Industry. There must be a regulator who should be made aware of this situation.


WOW! This blew up. I truly appreciate all of the useful insight! I'm still making my way through the posts. The company she works for is a large nursing agency. I will definitely contact the industrial commission. Freezes have been placed on credit reports. Police report has been made. Again, I really appreciate it!


I don't want to scare you, just make you aware: there was someone who posted a few weeks ago that had had his identity stolen (may have been on a different subreddit) and he froze all his credit reports, reported it to his bank, etc - did everything right, right away and no matter how many holes in the dam he patched up, it sprung 60 more leaks a day. I was in charge of payroll for most of my career and the payroll person's attitude is not the least bit acceptable. I would ask what vendor they go through, have them contact the vendor about the data breech/how widespread is it, do research on your own, ask that the company pay for credit monitoring and what their plan is if the dam breaks - are they going to pay to have your wife's credit fixed, etc. I would put it all in writing so there is no misunderstanding of who what where and when the liability falls on. Document, document, document - better to have too much and never need it vs having nothing and really wishing you had it


As a company in the healthcare field, this is a huge issue for them and might be impacting the clients as well. Thank you for reaching out to regulators.


Did they use a company to do a background check on your wife before hiring her? If so the breach could’ve happened there or in the transfer of data between them and the background check company.


It is also possible that these new hires interviewed with the same companies in their field. So they provided information to a few different companies any one of which could be the source of the information breach. Even more reason for the company to ensure they aren't the source of the breach.


It always blows my mind that these jobs expect you to put your social security number on your job application and then they don't even put the applications in a secure place most of the time. Sounds like it's their fault


This right here. Those new people probably had their info sitting on someone’s desk. If it’s not someone in HR/Payroll it could be the cleaning staff or anyone else that could have walked into someone’s office and used their phone to snap some ohotos


As someone in HR, companies have a legal obligation to protect said information. It’s just bad companies don’t care as much.


Not sure how that's legal. Just another example of the working class being treated as disposable


Well it’s at least negligent. I would think they would have some sort of responsibility to secure that information.


It always blows my mind that people in the US just use a string of numbers that's not supposed to be used as identification in the first place everywhere and doesn't securely handle it. Sounds like it's you guys' fault for not having a national ID. And I'm going to get down voted to hell just for saying that.


That payroll guy is using his position to fuck people. Put freezes on everything and file a police report. Also point out the dismissive and questionable behavior of the payrol guy and if possible, go to the police together so they don't see this as a single victim crime.


That was my first thought. Second thought is he has a virus. They need to get IT in there to check the computers for data leaking backdoors.


He could just be rude and not have anything to do with it as they could be using a cloud payroll system and a bad actor has access to it. He may quite literally not handle that part at all besides data entry and the system could be compromised as I've seen that a couple of times.


Sure that's POSSIBLE. But if he doesn't give a shit about these assertions he might not care about a lot of other things. Lack of pride in work is a red flag for me.


That was my first thought as well. Something stink to high hell in HR or Payroll. What's the old saying, 2 is a coincidence, 3 isn't? Or something to that effect.


2 is a coincidence, 3 is a pattern (with weak evidence)


I'd always heard it in 3 parts. Once is an anomaly, twice is a coincidence, three a pattern.


Once is happenstance. Twice is coincidence. Three times is enemy action. -Ian Fleming


Regardless, he has to care.... It's his dept. Is he 15? A more appropriate response from him would have been: *"I actually don't have anything to do with that data so I won't be much help to you. But this IS a serious matter so let me email my manager and copy you on it. Maybe they can guide you to the right person. How's that sound?"* We're not talking about someone losing their keys at the office. Or some staff lunches being stolen from his floor. We're talking about possible criminal activity occurring at his company, in HIS DEPT. Whether his eyes/hands touch the data is irrelevant.


Most likely possibilities: 1.) It's the payroll guy and the dismissal of claims is panicked reaction to being found out so quickly when he thought himself oh so clever. 2.) The payroll guy's computer is infected with a virus that allows remote access to all files. 3.) After-hours/overnight cleaning crew or building maintenance personnel with master key found paper copies of new employees information. Crime of opportunity. 4.) All 4 new employees went through Temp Agency or other 3rd party hiring service and possibilities 1-3 apply at that location.


You say this as if every organization has a team of IT security specialists standing by to zipline down through the skylights and search for viruses on everyone's PCs. All but the largest organizations have just a handful of people of uneven levels of training and talent.


What the fuck? Their entire network could be compromised. Or it could be the janitor or it could be a guy dumpster diving.




If several people starting at a company have the same issue at the same time, good chance the issue is there or at the very least the payroll guy is a good point for an investigation to start from.


If you could access production server from your workstation without some sort of manual authorisation (2FA, stepping stone server not accepting keys/certificates, filtering WAF), that would say some disturbing things about your network and security policies. Even worse if you could at the same time access random external FTP sites without any filtering, etc. I'm saying you should be able, but not in completely automatic, transparent, programmatic way.


Yup, as a payroll person you have access to people's personal / privileged info including SSNs, address, hourly rate / salary, yearly bonus amount, etc. While some companies may hide this information, you can view it. There are legitimate reasons why you need access to this data. Without it, you wouldn't be able to correctly create W2 forms around tax time for example. And there are other areas where you may need to use it as well. Source: Used to do payroll.




This person just doesn’t have a clue how payroll is usually even handled. All the people jumping to it being the payroll guy are clueless.


Definitely very suspicious to have 4 people with compromised identities. There is surely something wrong and in common here, but you literally have nothing verifiable in this post to validate your claims. I certainly hope whatever your job is, that in the event something comparable happened, you would be given the benefit of innocent until proven guilty. Not guilty until proven innocent like you have done here.


What a huge assumption to make. You read 5 sentences and can now confirm the payroll guy is committing fraud? Fuckin wild.


Similar thing happened to me. Former company sent out our W2 to a phishing scam. Then all of the stuff started opening. CCs, Sprint phone account, bank accts. ​ Freeze you and your wife's credit reports. When contesting or discussing these accounts the first things these companies asked for was a police report. Have it scanned and ready to send. Next, accept that you have this for life and to regularly check your credit reports for fraudulent activity. Good luck


To everyone: Just go ahead and go freeze your credit today. Don’t wait until your day identity is stolen.


I just want to say that the fact you mentioned this was connected to her new job (but not explicitly) is an issue. This has red flags all over it. Sounds like something is going on with this new employer (either malware and inadequate protections for data or an inside job).


> either malware and inadequate protections for data or an inside job. So many posters here are jumping to one conclusion or another, so thanks for mentioning multiple possibilities. Plus there are more, like a subcontractor (background check service, payroll company, etc.) having any of these issues. Regardless, the fact that it's happened to 4 employees means the employer needs to take responsibility and seriously investigate it. Otherwise it's going to keep happening to other employees.


HR and payroll sound incompetent at best and malicious at worst. If this isn't a crazy good job, id consider it a red flag and continue her search. In regards to the identity theft; police, report, freeze everything, lock everything down. Get a credit report _every month_ and action any accounts you don't recognize.


You have to have a police report to challenge anything that comes up in the future so might as well call the non emergency line and get that done today.


This happened to me when I had a c-section, I was drugged up recovering in the hospital and was brought form after form to sign, with my SS# and my husband’s. When I got home, I eventually discovered several cards were opened in my name when I was there. I guess they banked on the fact that I would be too busy to notice or report it with a newborn around… and it was true. They had plenty of time to cover their tracks between stealing my information and me figuring it out. Anyway I’m really sorry this happens. It sucks when people in a position of power to obtain our personal information, take advantage of it.


The nursing staff did this??


Yes at Baptist Hospital in Miami


Might be a state employment office issue. Even though I have no proof of this, just a bunch of strange connections/coincidences, but I had someone try and do the same to me with information only available on the state's business portal or from the IRS. FEIN was used for a business I own, my SSAN, and all other personal/business information to try and get a 150K small business Covid Relief loan, open numerous bank accounts, etc. And to those saying police; they told me to come back when something was actually taken from me, even though the state AG's site, the federal ID theft site, state to go file a report. So much for ID theft being a crime worthy of time any more.


This can also be a security breach, someone may have gained access to HR or Payroll's computer and/or email.


In my case this was all a part of unemployment fraud. Critical information was gathered from the state and the bank accounts were set up to receive direct deposits. They got all new hires and the owner randomly.


Someone in HR's email is compromised. Betting the guy who dismissed it. If I'm not mistaken, they might be liable for this.


I was visited by the Secret Service a bunch of years ago at my office (to my surprise) because they were investigating a cyber financial crime that had some tentacles in one of our vendors. I discovered that they investigate all kinds of financial crimes and have on their website an area that shows all of the investigative services they have -- https://www.secretservice.gov/investigation/cyber


Sounds like an inside job from HR/Payroll. Try to contact corporate or whoever the general manager is ASAP. Also freeze everything.


It could also be the background check services they use.


Or a 3rd party payroll processer.


You should ask your hr if the company has cyber lability insurance. If they have a data breech this can help with litigation and what not. You could have clients lose sensitive data as well. This will also alert them to be more concerned. Cyber liability is usually attached to either commercial umbrella or general liability, i forgot which one. I've never had to file a claim but most businesses have it.


please figure out who those other 3 people are and convince them to also go to the police. this seems like it should be so freakin easy for them to figure out if all the victims cooperate.


HR is not properly securing their records. Admin password to the remote login is probably admin, or they have a drawer with SSNs on paper with no lock on it.


HR guy is probably selling employee data.


These situations are happening in a scary frequent way. Just the other way my co-worker on her first day got an email from the "boss" asking for some credentials information. Her email was brand new (company extension). We are thinking boss mobile or laptop might be compromised. In your situation whoever is responsible for typing in your information has either a compromised system or is doing it himself. Sounds like that company need outside help to figure it out, like an IT security review.


open a transunion account and experian the free versions. Freeze & lock credit. this is besides her bank freeze. These will force any bank to call you before opening an account. 2 factor authenticate emails, phone and every account you have. change all her passwords, even for stores wallmart etc. everything. I use google authenticator and 1password app. trust me is worth it. she can't use the work computers or save the passwords in their browser. Almost everybody save the password credit cards in the Browser. that means anyone just have to sit down 1 minute to get access to all your stuff. idk what her job is but she and everyone must follow these steps to avoid losing their identity. Let me put it how simple it is to lose your identity: when one person is looking for jobs, you fill a bunch of applications, all your info is there and sometimes they even ask for your social. Most businesses are extremelly lose in security. ANyone can come to the HR office and chat and talk etc take a screenshot of the documents and thats it.


Some asshole in accounting on HR is stealing people's info. My money would be on accounting since HR was up front telling you it is 4 people having the same experience. The fact accounting dude denies shit screams he is the first dude to be watching.


As someone who works in HR these comments make me want to pull my hair out. **It is far more likely a cyber security issue than a physical stealing of forms.** Most applications are online these days, and onboarding paperwork is done online too (I-9, tax info, etc). Even if all of this *is* done on paper, HR needs to verify employment in the first 3 days of hire and that part is done online. Name, social, address, phone number, etc are all put in during this process. Their computer is probably comprised and I'm shocked that they told you other people are having the same issue and are not taking it seriously. Raise hell, OP. They should be worried about a lawsuit.


Thank you! The initial 4 employees came up in casual conversation that my wife had with someone in HR, retelling her story about the identity theft. Just today she found out about 2 other employees who were also affected.


My wife and I agree with you, probably a security issue. Thank you for the info!


If I was investigating this I’d start by questioning all HR staff and auditing their on boarding procedure. Advice: if this is a remote job (over state lines) I might just fill out a quick FBI report as well seems very odd that so many people were impacted.


Get ahold of whoever the head of finance is...whether it's a Controller, an Accounting Manager, a CFO, a Director of Finance. The payroll guy will report into one of these people. One person having an issue is a one-off; two people is odd; three people is a pattern and a problem; more than that is a major issue. HR should already have escalated this and if they haven't, finance needs to know.


Screw finance, and HR... legal needs to know. Trust me once they do, they'll get everyone else in line.


Get it in writing from your wife's employer. The fact that you reported the incident and their response. Also it is possible that the employer's network or computers have been compromised. They may suffer the wrath of ransomware or some other malicious 'hack' some time in the future if not addressed.


You may find these links helpful: - [Identity Theft Guide](/r/personalfinance/wiki/identity_theft) - [Credit-related wiki pages](/r/personalfinance/wiki/index#wiki_credit) *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/personalfinance) if you have any questions or concerns.*


The dude in payroll is the one doing it. Anyone in payroll who says someone's money going missing is no big deal shouldn't be in payroll. He should also know that his is the first head to be called for when payroll has a hiccup.


“not my problem” - guy who steals identities


Sounds like an issue job from HR/Payroll. Try to contact corporate or whenever the general manager is ASAP. Also freeze everything.


I really hope you guys can get it resolved. I would bet that the payroll guy at the new company was working from home on an unsecured network and clicked on a link to win unlimited amazon gift cards or something like that, and the information was compromised. You trust these H.R. professionals to keep your information secure but they're careless sometimes. Nothing to this level ever happened for me, but I have found my on-boarding payroll paperwork on my boss' desk, completely unsecured and a copy of my passport. Anybody could have grabbed it and he'd never know. I asked for it back to shred it.


We suddenly started receiving unemployment verification requests for a former employee who had voluntarily resigned almost a year earlier, and who I knew had another job… I reached out to him and sure enough, his most recent employer uses ADP and ADP’s system had been hacked. Stole the guy’s name, SSN, DOB and started filing unemployment claims in two states with completely bogus work info. What a mess. Hopefully your HR dept is reporting it to their payroll software company, if applicable.


>The HR woman told her she is 1 of 4 new employees that reported the same issue. In my corporate days... I went through this issue along with several colleagues. You also said: "the payroll guy at my wife's new job is completely dismissing the issue, pretty much saying it's not his fault" and I agree with him. And that's because after exhaustive research from within the company and Law Enforcement (yeah, we had to meet with the local PD), it came about that the fraud was originating from an employee within the Payroll company itself, i.e., not the in-house payroll person that processed the payments. Who was the payroll company? ADP... It was fucked up. In a matter of days, thousands of dollars were stolen from my account. Luckily, my bank made me whole in a matter of days. It was a pain in the ass..


I have done payroll processing jobs in the past. If 4 people hired at the same time are reporting identity theft, it's not a coincidence. Maybe a hack, maybe an inside bad actor. I've had access to hundreds if not thousands of people's confidential identity info. Fortunately, I'm not a piece of shit, so never did anything nefarious with it.


Def get Wage and Hour dept involved in your area. Also get the HR to investigate. It seems they are just kicking back waiting for more reports. All of the employees that touched your info need to be interviewed and potentially arrested/ fired. Also HR isn't there to help you like you think. They will try to protect the company always before the employees. So believe they aren't working in your best interest, more so trying to cover their tracks.


The call is coming from INSIDE THE HOUSE!


Everyone is pointing to Payroll, I'd like to also point to IT. We had one of those recently local who was using, and logging, credentials to various 3rd party sites. Follow suggestions- freeze everything. Get the police report. Let HR know about said report AND get that other new employee to do it too.


The company should be taking care of any personal data that should not be left out for anyone to see, it should be kept in a locked cabinet / room when not being used. Tell her to report it to HR /line manager in an email as well as an outside source, try to get all conversations in email and not spoken so she has traceability


Yeah she may want to consider finding another job, on top of the other stuff mentioned in the best comments.


likely, that particular employee at the company who handles these things had been phished and has given access to her account to complete strangers.


Op it’s a huge red flag that HR and Payroll are being so casual about this. the fact that this has now happened to several people is suspicious. Has she been introduced to the other employees yet? make sure she’s documenting everything. I feel like something is going very wrong with the payroll department. stolen identities is a significant issue. monitor everything.


Please call the police immediately! They would want to investigate your place of work, this could be part of a larger pattern. Very sketchy that HR mentions other new employees having their identity stolen as they started as well - could be a flaw in securing sensitive info or a bad actor internally, or something else. Also report it to the credit bureaus, freeze her credit immediately.


We did immediately. This morning she found out that 2 more employees were affected as well, bringing it to 6. Same bank, same issues.


Ransomware has been heavily on the rise. My job was a victim a few weeks ago. Is it possible they got hacked and don't know it


This is an internal theft at your new company, I’d press the person I personally gave my info to for answers


Correlation does not equal causation. It's scary how easy it is to steal someone's identity. There are studies that show there is a good chance you know the person who stole it. It's better to do what you can right now to deal with the issue, bank account freezes, password changes, notifying the police, etc. Least then you can see the light at the end of the tunnel instead of staring into the abyss for unknown time and getting lost.


I am taking a class for financial fraud and I just read a case study of almost this exact scenario yesterday—it’s likely someone within, sad to say. I would report it outside the company


I've done work with overseas call centers. The kind of business process outsourcing firms that HR software companies send their back office work to get done. These firms have a level of lax security you couldn't imagine. I saw a room full of people with cell phones in hand doing background checks for employers. They had access to American drivers licenses and other personal information all on the computer screen. No antivirus, pirated copies of windows, people paid $400/month who had a cell phone that could take pictures, and a black market for this information that paid them $50-$80 for an identity. Your employer likely uses an HR software that has one of these low cost labor outfits that does this kind of shady stuff. We need to implement better security as a nation around our social security numbers and how they work. It should be as easy as getting a new credit card number if my SS# gets stolen.


Just curious, but what’s the actual job. I know this may seem like a stupid question but is this a real company? I’m aware of scams where people are “hired” simply for their payroll information.


Call the police on the company. Whether shady or not


Seems to be data exfiltration. Aka HR (and probably the company itself) was hacked


This is so clearly an issue on their end, that the denials of this HR person makes me highly suspicious of that person in particular. Call the police.


People in nice comfortable jobs can surprise you with their corruption.


Hello! Crime doesn't pay because criminals are stupid. I would suggest anyone in Payroll who dismisses something like this is perhaps someone people* should take a closer look at.... *police


That payroll guy seems pretty suspect if he's really dismissive of an issue like that. Especially if it's new employees having this problem, I would be very concerned about him.