US Bank workers, ADP hit by tax refund thieves

Zmeel Photography | E+ | Getty Images

Some workers at U.S. Bank had their stolen identities used to file fraudulent tax returns through human resources software firm ADP, according to cybersecurity blogger Brian Krebs.

About 2 percent of U.S. Bank's more than 67,000 employees had their tax and salary data stolen, discovered when thieves used previously stolen data to register accounts in their names, a bank spokesman told CNBC. The bank has been investigating the weakness in its W-2 portal since April 19, the bank told employees in a letter obtained by Krebs.

How criminals could steal your tax return

ADP said that crooks would have needed dates of birth and Social Security numbers to create an account in someone's name in the ADP system. Plus, U.S. Bank posted an authentication code in an unsecured page online, unaware that it was privileged.

"Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously (unrelated to ADP) based on ADP's investigation to date," the company said in a statement to CNBC. "Publishing unique registration codes to an unsecure website is not common practice. ADP actively advises against this practice, notifies clients of the potential risks and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion."

The security breach comes at a time when fraudulent W-2 schemes have become increasingly common.

U.S. Bank's shares were down about 1.3 percent after the report, while ADP shares fell about 0.7 percent. U.S. Bank declined to comment further on the report.

"ADP has no evidence that its systems housing employee information have been compromised," ADP said in a statement to CNBC. "Additionally, the company is working with a federal law enforcement task force to identify the fraud perpetrators."

For the full story, check out