Paychex
A major payroll provider exposed employee data—SSNs, salaries, bank accounts, and tax information from companies nationwide.
What happened?
Paychex, one of the largest payroll and HR service providers in the United States serving over 740,000 clients, disclosed a data breach affecting employee payroll records. Payroll companies are high-value targets—they hold everything needed for comprehensive identity theft: SSNs, salary information, bank accounts, and tax data.
What data was actually inside?
Social Security numbers, salary and wage information, tax withholding data, direct deposit bank accounts, benefits enrollment details, and W-2 records. Payroll data is the complete financial identity of an employee—everything needed for tax fraud, bank fraud, and identity theft.
W-2 data is particularly dangerous during tax season—fraudulent returns can be filed immediately using this information.
Who gets hurt and how?
Employees at companies using Paychex for payroll. They didn't choose Paychex—their employer did. Now their SSNs, salaries, and bank accounts are exposed because of their employer's vendor selection. The data enables tax fraud, direct deposit redirect scams, and unemployment fraud.
Salary information is also sensitive—employees may not want coworkers or family knowing their compensation. That privacy is now gone.
What did they think they were doing right?
Paychex is a publicly traded Fortune 500 company serving hundreds of thousands of employers. They have security programs, compliance certifications, and SOC reports. They handle tax filings with the IRS and state agencies. Companies choose Paychex specifically because payroll is complex and Paychex is supposed to handle it securely.
Being a payroll processor means being trusted with the most sensitive employee data. That trust requires security that matches the responsibility.
What did they not know about their own data?
Paychex didn't know how accessible their aggregated payroll data was. Every paycheck processed adds to the data repository. Every client adds more employee records. The aggregation that creates business value also creates concentrated risk.
They knew they had SSNs and bank accounts for millions of employees. They didn't know how vulnerable that data was until attackers demonstrated it.
What does attribution look like the morning after?
Notification to employer clients who then must notify their employees. HR departments fielding questions. Employees checking their bank accounts and tax transcripts. IRS notifications for suspicious filing activity. The chain of consequences extends from processor to employer to employee.
For Paychex, the breach threatens core business relationships. Companies trust them with payroll precisely because they're supposed to be secure.
What would have changed the outcome?
Knowing where all SSNs and bank accounts live across payroll systems.
If Paychex had mapped their sensitive data—every database, every integration, every backup containing SSNs and bank accounts—they could have prioritized protection and detected anomalous access. Payroll data is the crown jewels of personal information. It deserves crown-jewel protection.
Don't Learn What You Have From an Attacker
Paychex didn't know what employee data was at risk until the breach revealed it. Risk Finder shows you first.
Start Your Risk Assessment