Recently, we have seen a rise in the hacking and fraudulent exploitation of HR data. In particular, the personally identifiable information (PII) of employees, stored by HR, has become a frequent target of cybercrime. While there are several ways in which PII can be used to scam both businesses and employees, one of the most prevalent is unemployment insurance fraud.

What is PII and why should businesses guard their HR files?

According to the U.S. Department of Labor, PII is defined as: information that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.)

PII is very valuable to cybercriminals because it can facilitate identity theft and other scams. These fraudulent uses of PII can cause great harm to its rightful owner, especially because it often takes a long time to discover the fraud and then rectify its impact.

While the business community is well informed on how important it is that businesses keep the PII and other sensitive information of their customers safe, many are not aware that similar care should be taken with their HR files. Yet, these files are a treasure trove of employee PII, and therefore, they are highly attractive targets for hackers.

The unemployment benefits scam

Cybercriminals often use PII from HR files to fraudulently apply for unemployment benefits. Because HR files contain all the information necessary to apply for unemployment — including names, social security numbers, dates of birth, and contact information — once hackers access your HR files, they have everything they need to impersonate your employees and scam the unemployment system.

A telltale sign that HR files are the source of the PII used in an unemployment scam is when numerous applications are made by employees of the same employer. If the government suspects that the employer is the source of the PII theft, it may launch an investigation to determine whether the employer’s lax security had contributed to the success of the hacking attack that ultimately led to the payment of fraudulent unemployment claims. If it’s determined that the employer’s security measures were inadequate, the government may sue the employer to recover the unemployment insurance money it paid to the scammers.

If it’s determined that the employer’s security measures were inadequate, the government may sue the employer to recover the unemployment insurance money it paid to the scammers.

Moreover, laid-off employees may also have the right to sue their former employer if their PII was stolen and they now find themselves ineligible to receive unemployment benefits because scammers have already applied for — and gotten — these payments.

How to better protect your HR files

As the convenience of cloud-based computing makes it easier to work remotely, HR departments are storing more and more of their data in the cloud. Thus, instead of being housed in physical file cabinets at a physical office or on the hard drive of a PC, personnel files full of employee PII are just a login away, accessible from anywhere.

The convenience of storing information in the cloud comes with higher risks and greater vulnerability to hacking. Now, hackers just need the login credentials to your HR’s cloud, and they can steal valuable PII information in a matter of minutes, leaving no easily detectable trace behind to alert you to the fact that your files had been hacked.

The good news, however, is that there are ways to make HR files more secure. The following three options are highly effective:

1. Two-Factor Authentication (2FA): Require anyone who accesses your systems to use extra security credentials beyond the login information. The most common type of 2FA is a one-time verification code the user gets by text, email, or authenticator app.
2. Whitelisting: Make it a policy that employees are only allowed to log into your systems from approved IP addresses and that anyone trying to log in from a non-approved IP address will not be able to do so. Note, however, that while whitelisting offers great protection for your system, it may create a degree of inconvenience for your employees because they will no longer be able to log in from anywhere. If they’re traveling, for example, even though they’re working on the same laptop during the whole trip, their IP address will change as they move from the airport’s network to the hotel’s network, and so on. Therefore, your system will no longer recognize the laptop as a whitelisted device and will no longer allow a log in from it.
3. Virtual Private Network (VPN): Deploy a VPN and make it a policy for employees to only log into your systems through the company’s VPN. Using a VPN will usually change your IP address to one that is whitelisted because a VPN creates an encrypted channel for your data, allowing you to use public networks and Wi-Fi hotspots safely. Thus, a VPN provides the security of whitelisting with the convenience of working from anywhere.

If you suspect that your HR files are not as secure as they should be, we can help. Contact Dr. Ronald Menold, Director of Cybersecurity Services at COSECURE, to discuss the best options for protecting your business and your employees.

Dr. Ronald Menold, Director of Cybersecurity Services at COSECURE Cybersecurity, brings deep knowledge gathered along his 24-year career as a Supervisory Special Agent with the FBI. Ronald holds a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH) certification from (ISC)2 and EC-Council respectively and multiple SANS/GIAC certifications. Ronald holds a Bachelor's in Computer Engineering and a Doctorate in Computer and Information Security. Contact Dr. Ronald Menold →

COSECURE Cybersecurity , an ancillary business unit of Cozen O'Connor, assesses client technology systems for cyber risks, teach employees how to protect themselves and their companies from hackers, and help our clients respond to cyber security threats, data breaches, and financial fraud. Learn more →