Confidential data on firm's site unguarded

February 25, 2005

Hiawatha Bray

A Boston computer entrepreneur says a software glitch at PayMaxx Inc., a Franklin, Tenn., payroll processing company, has accidentally revealed personal financial information on as many as 100,000 Americans.

''My record is in there, and I'm particularly angry because my Social Security number is in there," said Aaron Greenspan, president and chief executive of Think Computer Corp., which designs website software.

Unlike in the recent theft of personal data from the Georgia database company ChoicePoint Inc., there's no proof that computer thieves have copied any PayMaxx records. But the incident provides fresh evidence that sensitive data on millions of Americans are often stored on insecure computer systems.

A Boston software developer and Internet security expert, Richard Smith, said that such security lapses are common. ''The oldest problem in the book," Smith said when informed of the PayMaxx breach. ''I'm surprised it still happens."

The problem arose in a PayMaxx service that lets workers use the Internet to get their W-2 forms, the standard tax information form issued by companies to their employees. Greenspan said he notified PayMaxx about the problem in early February, but the company took no action. But in a statement, PayMaxx alleged that Greenspan demanded money to reveal details of the problem. ''Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible," the statement said.

Greenspan replied that as a website programmer he thought it was reasonable to expect payment for his work. He pointed to an e-mail he sent to PayMaxx on Feb. 8, urging the company to have the problem fixed quickly, even if it brought in someone else to do it.

PayMaxx admits there was a problem but says the security breach was far less severe than Greenspan claims. ''Based on our initial analysis, the potential exposure is limited to a small number of companies and W-2 forms," the company said. PayMaxx said it would contact the affected companies and make sure their employees were warned about possible identity theft.

PayMaxx believes a bug was introduced this month, when the company modified its W-2 system. PayMaxx said it has no evidence that any would-be identity thieves gained access to data. ''At this time, PayMaxx has corrected the 'defect' and is taking all possible actions to ensure the safety of our customers and their employees' information," the company said.

Until recently, Think's payroll was processed by PayMaxx. Greenspan stopped doing business with PayMaxx in December; he said that PayMaxx had made a payment from his account without his authorization. Despite ending the relationship, Greenspan decided to perform security tests on the PayMaxx website.

It wasn't a new experience for Greenspan, who likes to check Internet sites for security flaws. In January, he discovered a problem on the wireless Internet system at South Station in Boston. A bug enabled Greenspan to see confidential information on the terminal network and on computers run by several nearby businesses. The problem was resolved.

Greenspan wondered whether he could also compromise the PayMaxx computer system. He was dismayed to find out how easy it was, he said. For example, the company's website lets individual workers view their W-2 forms, which contain a wealth of sensitive information, including name, address, income, Social Security number, and employer. Greenspan entered nine zeroes as a Social Security number, and six zeroes as a password. The site then displayed a sample W-2 form for a nonexistent person. Greenspan was then able to access his own W-2. But by changing some numbers in the Web browser's address window, he was able to display real actual W-2s.

As of Tuesday, the problem persisted. With Greenspan's help, the Globe was able to reproduce the security flaw and read W-2 information for several people in various states, including Illinois, Kentucky, Tennessee, and Utah. The Globe confirmed the accuracy of the names and addresses by checking them against, an online directory.

Greenspan conceded there's no evidence that anyone has collected personal information from the PayMaxx site to use in an identity-theft scheme. But he added that ''nobody who's exploiting it would tell them about it." Greenspan said any thief would have left traces in the PayMaxx computer's log files, but that it seems no one at the company checked. ''They weren't paying attention to any of their logs, because they would have found me," he said.

Last week, ChoicePoint Inc. said over 140,000 of its files may have been stolen. The firm was victimized by thieves who created fake identities to create seemingly legitimate businesses, which then purchased the data files. It's estimated the files enabled the criminals to defraud as many as 750 people.

main page ATTRITION feedback