P2020-ND-149

The Organization uses a third party vendor, PaperlessPay Corporation (PPC), to provide its employees with electronic access to tax slips and pay stubs in PPC?s database, On February 20, 2020, the Organization received a notification from PPC that an unknown party had issued an advertisement purporting to sell access to PPC?s database on the dark web. The Organization requested and confirmed that PPC removed all of the Organization?s data from the database. On March 20, 2020, PPC confirmed that the threat actor had gained access to its database servers; the access occurred on February 18, 2020. PPC?s investigation did not determine what data had been accessed or viewed by the threat actor, if any. PPC advised the Organization that, following comments from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), it believed the threat actor only accessed the database to determine its size, and that it did not directly access any individual?s data; however, PPC could not rule out the possibility of unauthorized access.

File Type: pdf
File Size: 620 KB
Categories: 2020