Equifax 'suffers data breach, losing 431,000 workers' details'
Hackers broke into tax form system, stealing personal data, it is claimed


Credit bureau firm Equifax has apparently suffered a significant data breach, with tax and salary data for more than 431,000 US workers being stolen from its systems.
The report of the leak comes via independent security researcher Brian Krebs, who claims to have seen a letter from American grocery firm Kroger to its employees, stating an unauthorised third party had accessed Equifax's W-2Express system, which lets individuals manage their W-2 tax forms (similar to a tax return in the UK) online.
"It appears that unknown individuals have accessed [Equifax's] W2Express website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions," Kroger's letter said.
"Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals' information was accessed," it added.
The company sought to reassure workers that its own systems have not been compromised, but admitted it does not know how many of them had been affected.
This is not the first time a data breach has affected Equifax's W-2Express systems, with Stanford University revealing in April that several hundred of its employees, past and present, had their details stolen.
IT Pro has contacted Equifax for its response to the allegations, but had not received a response at the time of publication.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.
-
What is polymorphic malware?
Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the company
Opinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion