Employees’ Personal Data Is at Stake

Key Takeaways:
  • No business owner wants to think their employees’ personal payroll data could be breached, but it happens.
  • Continually update your payroll software to patch security vulnerabilities. 
  • Multi-factor authentication stops 90% of attempted cyberattacks.


Protecting the data security surrounding your company’s payroll is much like protecting your operational data security. Except for one thing – the stakes are very different. Where factors such as proprietary processes and customer lists are vulnerable if your operational data is hacked, if your payroll data is attacked, employees’ personal information such as Social Security numbers, bank account numbers and salaries may be stolen. Not to mention their trust.

Both scenarios would be damaging to any company, but business leaders often focus their attention and budget on operational data security, assuming it will take care of the entire organization, or assuming their outsourced payroll provider will safeguard their payroll data.

But in today’s volatile cybersecurity environment, it’s critical that company owners and human resources managers understand that payroll data requires unique protection measures and consistent monitoring.

In 2023, there were 3,205 known data compromises in U.S. companies, nearly double the number in 2022. While these compromises did not all involved payroll data, the rate of increase in one year indicates the severity of the growing cyberattack threat.

Worst Case Scenario

As increasingly more business functions – including payroll – have become digitized and managed in the cloud, the efforts of hackers and cybercriminals have become more sophisticated, sometimes even victimizing people and organizations that have advanced cybersecurity protections.

In perhaps a worst-case scenario, Kronos Private Cloud – a service that includes some of the nation’s most popular workforce management software – was hit by a ransomware attack in December 2021. Approximately 8 million workers’ payroll records – and paychecks – were held hostage, including public transit workers in New York City, employees of FedEx and Whole Foods, and healthcare workers across the country who were battling the COVID-19 pandemic. Paychecks for employees from Montana to Florida were short by hundreds or thousands of dollars and the system was down for more than a month.

While the Kronos attack was extreme, it provides a glimpse into the potential severity of a payroll data cyberattack for any size company. It also shows the importance of making sure your payroll provider has best-in-class data security practices, and is utilizing every tool on behalf of your company.

Where are the Vulnerabilities?

There are several common events that happen between employees and HR departments that can introduce opportunities for threat actors to steal data, particularly those that involve communications around making changes in an employee’s record. Cybercriminals know these are vulnerable points and often create sophisticated phishing emails aimed at obtaining account numbers and passwords.

For example, employees notify the HR department when they change banks and need their payroll deposited into a new account, or when they want to change the amount of a 401(k) deferral.

The way these communications take place matters, as does the presence of a verification protocol. If an HR department receives an email from an employee requesting that their payroll be deposited into a new bank account, it could be a phishing attack. The HR department must first check the email address the request came from. They should then verify the request with the employee either by phone or by speaking face to face. Another best practice is having an employee sign a paper form verifying the request.

Key Tools & Practices to Protect Payroll Data

Other key tools and practices to protect payroll data include:

  • Create and document a business process that stresses safeguards around the human element in payroll changes. The process may require a face-to-face discussion or live phone conversation (not voicemails), or may require a PIN code, or may require that two people must be involved to verify any change in an employee’s payroll account. Make sure the process works for your organization. What works in a small company may not work in a much larger company.
  • Provide cybersecurity training for all employees on a regular basis, and include information specifically about payroll data security.
  • Continually update your payroll software to patch security vulnerabilities. Outdated software can expose your system to risks.
  • Encourage users to change their login credentials periodically. This practice helps prevent unauthorized access.
  • Restrict access to payroll systems and data. Only authorized personnel should have access to sensitive information.
  • Invest in software tools that detect and quarantine fake emails.
  • If you outsource your company’s payroll to a third party, ask them to send you documentation of their data security policy and practices. Ask if they are utilizing all available security tools on your company’s behalf. Look carefully at their process for implementing any changes in employee accounts.
  • If your outsourced payroll provider offers a portal through which employees may control their own accounts, what are the security measures that protect employees’ personal data? How many levels of approval are needed to make a change in an account? What verification methods are used when an employee requests a change?
  • Where possible, utilize multi-factor authentication for your company’s payroll software and portals. Where it is used, multi-factor authentication stops 90% of attempted cyberattacks.

After the Breach

No business owner wants to think their employees’ personal payroll data could be breached, but it happens. And once a payroll system is back up and running after a cyberattack, the headaches aren’t over. Dozens or, perhaps, hundreds of employees now have compromised Social Security numbers, bank account numbers and personal data, and will need guidance on how to protect their financial assets. Many companies that experience payroll data breaches pay for credit monitoring services on behalf of their employees.

Your employees are your company’s greatest assets. Protecting their personal data in your payroll system will help ensure that the trust you have built with them remains strong.

If you would like to discuss an evaluation of your company’s payroll data security, contact an Adams Brown Technology Specialist.