Details are scant, but compromised data may include US residents’ Social Security and bank account numbers

BenefitMall, a provider of payroll, HR, and employer services to businesses across the US, has reported a data security incident that may have exposed consumers’ personal information.

“On October 11, 2018, the company became aware of an email phishing attack that exposed employee email login credentials,” the company said in a press release on Friday.

“While the dates of the unauthorized access vary, the issue generally occurred between June 2018 and the discovery date.”

According to BenefitMall, emails in the affected mailboxes may have included consumers’ names, addresses, Social Security numbers, dates of birth, bank account numbers, and information relating to payment of insurance premiums.

BenefitMall – the trading name of Centerstone Insurance and Financial Services – provides a range of solutions for employers, including the administration of payroll and employee benefits.

The Dallas-based company said it has access to consumers’ personal information due to the nature of its work as a service provider to employers and other businesses.

It’s not yet known how many US consumers are potentially impacted by this breach. BenefitMall did not respond to multiple requests for comment.

According to promotional material from the company, BenefitMall works with a network of more than 20,000 brokers and accountants that service some 200,000 small and medium-sized businesses.

“BenefitMall takes the privacy and security of personal information very seriously,” the company said. “Once BenefitMall learned of this issue, the company immediately initiated an internal review.

“The company also retained a top computer forensics firm to help conduct a thorough investigation of the incident and remediate BenefitMall's systems. BenefitMall has also reported the incident to law enforcement.”

It appears that this isn’t the first time BenefitMall has been subject to a data breach.

A document (PDF) hosted on the Department of Justice New Hampshire website provides details of a security incident that took place in November 2013 and impacted BenefitMall client Kenerson Associates.

Based on the company’s review of last year’s data breach, BenefitMall said there is “no indication” that any information has been used inappropriately.

BenefitMall said it has now implemented additional security measures to protect employee email accounts, including two-factor authentication.

“The company has also undertaken an employee education initiative to inform employees about phishing scams and how to guard against them, and will continue to deliver additional employee training about email safety and recognizing phishing emails,” it said.