# "ComplyRight" Data Breach?



## starkllr (Mar 21, 2013)

So I received a letter yesterday from a company called ComplyRight.  It states that:

"We are writing with important information about a recent security incident involving some of your personal information that was maintained on our website.  Your personal information was entered onto our website by, or on behalf of, your employer or payer to prepare tax related forms, for example Forms 1099 and W-2.

I received 1099 forms for 2017 from Amazon (KDP), CreateSpace, ACX and Smashwords, so it could be any of them.  Has anyone else received a similar letter in the past few days?


----------



## Marti talbott (Apr 19, 2011)

Sounds like a scam to me. I wouldn't trust it especially if they're asking for personal information.


----------



## Guest (Jul 17, 2018)

Was it an actual letter in the mail, or an email? ComplyRight is an actual company, but usually these sort of things will be very specific. And I don't see any news about a breach from them on the HR wires.


----------



## starkllr (Mar 21, 2013)

It was an actual letter in the mail.  And it was specific as to dates; it just didn't specify WHICH employer or payor of mine was involved.


----------



## JGold77 (Jul 17, 2018)

I received the same letter.  I'm checking in to it with my employer and can post back here.  I think it's legit because they don't ask for any personal information and they recommend you deal directly with the credit reporting agencies.  Also, the year of monitoring they are offering is through TransUnion.  They were super specific with times and when the breach occurred, they are a legit company, and the letter didn't look or feel scammy.  I'll let you know what I find out from my employer/the tax person who does our payroll stuff.  It's not a bad idea to just add the fraud report to your credit and put a freeze on it if you don't plan on opening any new credit accounts.  It's super easy and most of the time free (depending on where you live).


----------



## CJax (Jul 17, 2018)

I joined this board to let you know I too received a letter. It seems like the production company used for some Maryland area productions is a culprit for the vast majority of my network that received the letters.

So far I only know of actors that have received this letter but I'm sure others have as well.


----------



## A_L2 (Jul 17, 2018)

I also joined this board because I received a ComplyRight letter today. However, it is addressed to my deceased husband. He died long before the "breach" and his estate has long been settled. Looks, acts, sounds like a scam to me.


----------



## tc2001 (Jul 17, 2018)

I actually called ComplyRight in Florida.  They did indeed have a data breach and the letter is legitimate.  I had to wait on hold for awhile, too.  Sounds like they are fielding a lot of calls about this.


----------



## sherylrhoades (Jul 17, 2018)

I got the same letter. I sent an email to the company directly to ask them if it is a scam, and I got an auto reply email saying they are looking into my inquiry. I also looked at their website and press release page and no information about a breach is mentioned.

I will let you know what their response is, but everything points to verifying with credit bureaus to see if there's anything going on, worth looking at just in case.


----------



## SCone (Jul 17, 2018)

I received this same letter today.  It seems odd that it would be so vague - and mention a 1099 and a W-2.  I don't understand who they represent that I would have accounts with.  I would appreciate knowing any info anyone finds out.
Thank you.


----------



## whittles (Jul 17, 2018)

I joined too because I just received the same letter dated July 13, 2018 that on May 22 there was a potential issue involving the Comply Right Website. 
Legit and should I follow up with them?


----------



## TTrac (Jul 17, 2018)

ComplyRight is a software vendor that many CPA's and other companies across the country use to prepare client and employee 1099's and W-2's. My CPA in Tennessee informed me about the breach and I would be getting a letter. It arrived yesterday. 

Placed a fraud alert on my credit report and will sign up for the credit monitoring.


----------



## mtswan4 (Jul 17, 2018)

I also joined this board because I received a ComplyRight letter today, also dated 07/13/2018. I did contact my previous employer who stated they "haven't heard anything either but I do know that is who powers e-file4biz that we use to file our ACA reports. We will look into it."

I did some research and found a similar letter using the same format at:
https://www.doj.nh.gov/consumer/security-breaches/documents/alpha-industries-20171002.pdf

Having previously worked at CFPB (Consumer Financial Protection Bureau), and judging by the stamped received dates, it appears the attachment was reported to, and acknowledged by, both the NH State DOJ (Dept. of Justice) and CFPB on 10/30/17 as a result of a consumer complaint to CFPB.

I am in the process of contacting CFPB, requesting credit reports, and placing fraud alerts.


----------



## Tillytoo (Jul 17, 2018)

Hello All, 

My father (87) received a similar letter from Complyright dated 7/13/18 stating there was a recent security incident involving some of your personal information maintained on our website.  It continues, Your personal information was entered onto our website by, or on behalf of, your employer or payer to prepare tax related forms, i.e. Forms 1099 and W-2. My father is on social security and has a pension through his union hall.  I contacted them and they said they had never heard of Complyright and was not notified of a breach by the company they do use.  I also do his taxes on CreditKarma, but upon contacting them, again they have not heard of this company and have not had a breach.  These are the only 2 possibilities I have used on his behalf for a breach to have occurred. 

The return address on his letter is from P.O. Box 6336, Portland, OR.  The letter states that because of the breach they are offering a 12 month credit monitoring and identity protection service through TransUnion Interactive.  You have to log onto a website they give you and enter a 12 letter activation code and must be done by 10/31/18.  

They give a phone number if you have any questions (844-299-7772) but when I called they only took my name and phone number and said someone would call me back.  This sounded like a call center to me.  
I just really feel like although it looks so legit and throws out the TransUnion name, I really feel like this is a sophisticated scam.  I am tomorrow going to contact our State District Attorney's office to see if they have any knowledge of this.  

I hope we all get to the bottom of this.


----------



## blkvette94 (Jul 17, 2018)

Some things to look at with this type of apparent scam-
1. The company claims to be from Oregon. I quick search of the official Oregon Sec of State business name search shows no such name--  Nor anything derivative.
2. Going to Trans union you will find their web site is name "true identity" there is NO "MY" in the name
3. You may find another such engineered letter for social engineering fraud. They use a real person Helen Goff Foster.  A quick linked in check shows different duty titles. And this letter also direction to near miss website (it sends you to transunion monitoring dot com.. There is no legit trans union site of this name).
4. In the comply right letter under the "what we are doing" paragraph--- it states after thorough investigation my info may have been viewed on the website.... no verification of it being downloaded. Really, what reputable cyber thief looks at my info without downloading it to monetize it?
5. It comes from Rick Rodis "officer". Really? what kind of title is that?

As always the devil is in the details.. So slow down, read these kind of letter backwards, go to the actual website-not just the one's provided.


----------



## Betsygee2018 (Jul 17, 2018)

It looks like a lot of us got the same letter.  I’m going to be doing some more research on this. I’ll look forward to hearing if anyone here gets a definitive answer.


----------



## tc2001 (Jul 17, 2018)

You can do what I did and call ComplyRight tomorrow to get verification.  I realize that no one should believe one person outright, so I do encourage to call them tomorrow and get verification about the data breach.


----------



## GuyInEastBay (Jul 17, 2018)

blkvette94 said:


> Some things to look at with this type of apparent scam- ... As always the devil is in the details.. So slow down, read these kind of letter backwards, go to the actual website-not just the one's provided.


I too got the same July 13, 2018 letter from ComplyRight. It arrived yesterday. And I agree that it's wise to be careful with these sorts of letters. However,

1. If you go to ComplyRight.com, they're really clear that their main offices are in Florida and California. There's no mention of the Oregon office, though my letter describes the office as a "Return Mail Processing Center." So I'd guess it's an outside company that ComplyRight hires to handle these sorts of letters. https://www.complyright.com/about/contact-us

2. Transunion lists myTrueidentity.com as one of their websites in this PDF file from their transunion.com website:
https://www.transunion.com/.../solution-data-breach-services-reactive-br-0317.pdf

3. Maybe there have been scams that build off of TransUnion's name, but I'm not sure, and frankly don't think this is one of them. At least, not at the moment.

4. "Really, what reputable cyber thief looks at my info without downloading it to monetize it?" I think what they're saying is they know the webpage/site was accessed, but they don't know exactly what info was downloaded, scraped, or otherwise taken. Some hackers will limit their data downloads to a certain size or time to avoid drawing too much suspicion to themselves. Also, ComplyRight may just be using some legalese here to avoid, I don't know, appearing more careless than they already appear.

5. "It comes from Rick Rodis "officer". Really? what kind of title is that?" The name on my letter is Rick Roddis (with two "d"s). Maybe this is a really elaborate scam, but there is a LinkedIn page for Roddis: https://www.linkedin.com/in/rickroddis/
And his name appears in this press release from several months ago (along with appearing in a bunch of other Google search results): 
https://www.prnewswire.com/news-releases/complyrights-efileacaformscom-and-smart1095com-join-forces-to-simplify-mandatory-aca-reporting-for-employers-300573412.html
I'd say the term "officer" reflects either hurried and careless writing, or some sort of legal-department wording.

Also, I emailed [email protected] to ask if this letter was for real. I got a reply saying yes it is. So again, it might be part of a scam, but that's a REALLY elaborate scam that they've been preparing for a year.

So I'm going to take some of the actions they suggest.


----------



## David VanDyke (Jan 3, 2014)

Is it possible that a scammer got ahold of the real letter and created some fake letters with slightly different items for phishing/social engineering? Such as Roddis/Rodis, and so on? People who check, like here, might be assured it's a real letter-but they actually got the fake letter made up to look like the real one?


----------



## tc2001 (Jul 17, 2018)

A search for "PO Box 6336" results in a lot of data breach letter templates from US state governments (which also list the myTrueIdentity website).  So, it is possible someone could be using one of these templates.  However, what is the gain by sending us to a legitimate site for credit monitoring?  

Also, a whois search for the registered owner of "mytrueidentity.com" website shows that it is Transunion.


----------



## David VanDyke (Jan 3, 2014)

Maybe they had to comply with the law to send out these letter, They assigned some intern or flunky or outsourced it and they've done a bad job of composing the letter.


----------



## patty2005 (Jul 18, 2018)

I got the exact same letter as everyone has described here.  I called the number on the letter and they couldn't/wouldn't give me the name of the employer who allegedly entered my information.    "ComplyRight" asked for my phone number but I didn't give it to them.  I recently changed jobs and neither my current boss nor my previous one know anything about ComplyRight.  None of my current or past fellow employees got this letter as far as I know.  I tried to call the company in Florida but it goes to a busy signal.  

Coincidentally, someone tried to use my credit card this morning, so I decided to check out "mytrueidentity.com" which is in the letter.  I wasn't completely sure it was real, but there is something called "mytrueidentity" on the Transunion website, so I went ahead and entered my data into the mytrueidentity.com site.  It knew my credit score accurately and it also knew how much total debt I have, so it looked pretty legit.  I put a lock on my Transunion account using that site.  It was not previously locked.  However, I was still uncertain so I called Transunion.  The guy didn't know anything about mytrueidentity.com and told me it was not associated with Transunion as far as he could tell, but then he asked if I wanted to lock my account.  I said "YES" and he said "Oh, it's already locked".  He also told me that the mytrueidentity.com website must actually be associated with the Transunion company for them to be able to lock my Transunion account.

SO, I still don't know about the origin of the letter, but the mytrueidentity.com website seems to be a legitimate subsidiary of Transunion.


----------



## Guest (Jul 18, 2018)

patty2005 said:


> However, I was still uncertain so I called Transunion. The guy didn't know anything about mytrueidentity.com and told me it was not associated with Transunion as far as he could tell, but then he asked if I wanted to lock my account. I said "YES" and he said "Oh, it's already locked". He also told me that the mytrueidentity.com website must actually be associated with the Transunion company for them to be able to lock my Transunion account.


Are you sure you weren't talking with Amazon customer service? lol


----------



## tc2001 (Jul 17, 2018)

patty2005 said:


> I got the exact same letter as everyone has described here. I called the number on the letter and they couldn't/wouldn't give me the name of the employer who allegedly entered my information. "ComplyRight" asked for my phone number but I didn't give it to them. I recently changed jobs and neither my current boss nor my previous one know anything about ComplyRight. None of my current or past fellow employees got this letter as far as I know. I tried to call the company in Florida but it goes to a busy signal.


I had to call 3 times to get through to ComplyRight in Florida. First 2 times, I also got the busy signal, but on the 3rd attempt, I reached a receptionist who then transferred me to someone that confirmed the breach.

I get the feeling ComplyRight is doing their best to keep this breach under wraps.


----------



## SteveM (Jul 18, 2018)

I got the letter yesterday (and so did my brother, who i work with and another coworker that I know of) and so was eager to contact Complyright directly today, especially after seeing this messageboard about it. I called a few times and after being transferred to the receptionist I kept getting a busy signal. So I went to their website and got their contact email. After 5 or 10 minutes, this reply popped up in my email from [email protected]:

"Yesenia Cervantes (ComplyRight)

Jul 18, 09:07 MST

Steve, 
The letter is valid. Please call the support# provided for further assistance. 
Regards, 
Letty Vasquez 
ComplyRight"

A search of letty vasquez and yesenia cervantes both show them as working for complyright. It seems to be legit as far as I'm concerned! Thoughts?


----------



## boba1823 (Aug 13, 2017)

And people thought I was being paranoid by refusing to give Amazon my personal information


----------



## cac (Jul 18, 2018)

I only registered so I could comment here. I also received the letter. I checked with my current and last employer. Former employer also got letter. They said the breach has to do with the ACA filing of the Form 1094 (proof of employer health care coverage). so it's for real and it's not good.


----------



## 1234Scott (Jul 18, 2018)

I also got a letter dated July 13, 2018. Called the number and talked with two people, one a "supervisor".  Still cannot tell if it's a scam but they have nothing but my office number (which anyway can get). They would not say much. They mentioned "Staples" the office supply chain and my CPA. Made absolutely NO SENSE. All in all, I'd say it's a scam of some sort.


----------



## tc2001 (Jul 17, 2018)

1234Scott said:


> I also got a letter dated July 13, 2018. Called the number and talked with two people, one a "supervisor". Still cannot tell if it's a scam but they have nothing but my office number (which anyway can get). They would not say much. They mentioned "Staples" the office supply chain and my CPA. Made absolutely NO SENSE. All in all, I'd say it's a scam of some sort.


But what is the scam? They don't ask for any personal information and "mytrueidentity.com" is a legitimate site owned by TransUnion.


----------



## Finance Manager (Jul 18, 2018)

This is definitely a scam.  My client received a letter dated July 10 stating that there was an "incident" on "a tax form preparation website using a platform provided by ComplyRight".  It further indicated that they "disabled the platform".  This client doesnt use any tax form reporting platform.  When I called and questioned it, they couldnt tell me what platform they were referring to.  So I mentioned that the letter also states that "we have confirmed there was unauthorized access to OUR website".  I asked what website, and again, they couldnt answer the question.

The letter that several employees received indicated "potential issue involving OUR website".  Again, the guy couldnt tell me WHAT website.  When he tried to find out more information about the "incident" he told me that ComplyRight had received an "Entity Notice".  I said, "wow, that sounds scary but it's total bologna.  

Folks, this is just a scam.  They know scary words and are trying to get you to sign up for their "free" credit monitoring in the hope that you will continue to be a customer after the "free" period.


----------



## Guest (Jul 18, 2018)

To clarify:

"Scam" implies illegal activity. While the letter may or may not have been poorly worded, there is NO reason to believe the company is pulling a scam.

ComplyRight is a real company.

Mytruidentity is a real website owned by TransUnion.

Federal law requires companies to report potential breaches to those who may have been impacted. 

The letter was sent through the mail using real contact information. It was NOT an email phishing scheme. The penalties for committing any sort of fraud through the mail are enormous. 

Never assume malice when incompetence will suffice. It is more likely that the company has incomplete information on impacted individuals, as they themselves did not enter the individual data. The information is entered by third-party companies that pay to use the service.


----------



## Sshanker (Jul 18, 2018)

I contacted complyright through its website, not using any link, and I got the response that the letter is legitimate and is for me to call a toll free line that has professionals familiar with the case.  A canned letter.  My guess at this point is that Amazon used this service and that's why so many of us here have received this notice.


----------



## Riley2 (Jul 18, 2018)

I got the same letter. What bothers me is mytrueidentity.com and trueidentity.com are two different web sites. Why two similarly named sites associated with Transunion. Maybe I'm missing something.

https://www.trueidentity.com/ This one seems legit to me.

https://www.mytrueidentity.com/CreditView/welcome.page?enterprise=TUCI1 This is the one referenced in my letter.


----------



## tc2001 (Jul 17, 2018)

Riley2 said:


> I got the same letter. What bothers me is mytrueidentity.com and trueidentity.com are two different web sites. Why two similarly named sites associated with Transunion. Maybe I'm missing something.
> 
> https://www.trueidentity.com/ This one seems legit to me.
> 
> https://www.mytrueidentity.com/CreditView/welcome.page?enterprise=TUCI1 This is the one referenced in my letter.


A whois searched on both domains yield identical information for the Registrant. The information is below (if you want to see for yourself: http://www.register.com/whois.rcmx).

Registry Registrant ID:
Registrant Name: TU Domains Team - Admin
Registrant Organization: Transunion, LLC
Registrant Street: 555 W Adams St
Registrant City: Chicago
Registrant State/Province: IL
Registrant Postal Code: 60661
Registrant Country: US
Registrant Phone: +1.3129852982
Registrant Phone Ext:
Registrant Fax: +1.3129852982
Registrant Fax Ext:
Registrant Email: [email protected]


----------



## Riley2 (Jul 18, 2018)

tc2001 said:


> A whois searched on both domains yield identical information for the Registrant. The information is below (if you want to see for yourself: http://www.register.com/whois.rcmx).
> 
> Registry Registrant ID:
> Registrant Name: TU Domains Team - Admin
> ...


Thanks, I just get nervous when it comes to this kind of thing. Things are bad enough with all these data breaches. I don't want to make things worse.


----------



## ewr (Jul 18, 2018)

I think this may be real.

I used the website efile4Biz.com to create and issue 1099's to contractors I worked with, and:



> Efile4Biz.com is a member of the ComplyRight family of brands.


from https://www.efile4biz.com/about-us.html

also, see http://www.sun-sentinel.com/business/fl-bz-complyright-data-breach-20180718-story.html


----------



## alaskaann66 (Jul 18, 2018)

I agree that this may be a real breach. I just read the same article from the Sun Sentinel and it looks legit. I used efile4biz to file several 1099s for some of my clients through QuickBooks and those are the companies who received these letters - all dated 7/10/2018.



ewr said:


> I think this may be real.
> 
> I used the website efile4Biz.com to create and issue 1099's to contractors I worked with, and:
> 
> ...


----------



## mtswan4 (Jul 17, 2018)

The letter I received is VALID according to my employer. Below is the information they provided. You should contact your employer to confirm yours.

"Good afternoon, 

You may have received a letter from ComplyRight regarding a security breach in their system. Unfortunately, this is a legitimate letter. We use a company called efile4Biz to process and distribute our yearly ACA reporting (form 1095-C) and 1099s. The efile4Biz website is powered by ComplyRight.

Please read the letter thoroughly. They have set up a toll-free response line for questions at (844) 299-7772. They are also offering 12 months of free credit monitoring/identity protection services through TransUnion. The enrollment instructions are also included in the letter.

Apologies and regards,"


----------



## mtswan4 (Jul 17, 2018)

In addition, I was a contracted employee through an agency that provides temporary employees to the federal government (hence the 1099). I always go to websites directly, NEVER by copy/paste or typing in the website provided. The first thig I do is to google for "related spam", and in this case went directly to Transunion via my account. I will only use the information from my employer.

Again, ComplyRight did not ask for any personal information, and if you go directly to the credit bureau websites there will be no issues. FYI, when you place a fraud alert with one, they are to notify the other two. I do all three anyway.

Hope this helps.


----------



## laurensotheremail (Jul 19, 2018)

I got the letter as well, which is curious because I work for a state agency that does not outsource preparation of tax-related forms. I called ComplyRight and was told the breach occurred on the efile4biz site, which again is a mystery ... I wondered if this had anything to do with online tax return preparation, so I've inquired at Intuit, but haven't heard back.

I thought I would take advantage of the free id theft offer, but when I went to sign up using the activation code provided, it asked for my personal information. I wondered why they didn't already have that. 

I think it is a sophisticated scam. I'm thinking of reporting to my state's attorney general since they've basically stated the state is party to a data breach regarding employee personal information.


----------



## juniorv376 (Jul 19, 2018)

Just created an account to post. it appears these letters are very real.

The sun-sentinel covered and all.

http://www.sun-sentinel.com/business/fl-bz-complyright-data-breach-20180718-story.html


----------



## laurensotheremail (Jul 19, 2018)

Just saw this:

https://krebsonsecurity.com/2018/07/human-resources-firm-complyright-breached/

Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information - including names, addresses, phone numbers, email addresses and Social Security numbers - from tax forms submitted by the company's thousands of clients on behalf of employees....


----------



## APeter (Jan 2, 2015)

KrebsOnSecurity confirms there was a breach.

https://krebsonsecurity.com/2018/07/human-resources-firm-complyright-breached/


----------



## KFK (Jul 23, 2018)

Thank you to all who have posted about the reported breach at ComplyRight.  My firm is conducting an investigation relating to the matter and would like to speak with anyone who has received the noted July 13, 2018 letter from ComplyRight and/or has details concerning the breach.  My direct number in NYC is: (212) 329-8570.  Thank you.

Kevin Cosgrove
[email protected]


----------



## David VanDyke (Jan 3, 2014)

KFK said:


> Thank you to all who have posted about the reported breach at ComplyRight. My firm is conducting an investigation relating to the matter and would like to speak with anyone who has received the noted July 13, 2018 letter from ComplyRight and/or has details concerning the breach. My direct number in NYC is: (212) 329-8570. Thank you.
> 
> Kevin Cosgrove
> [email protected]


In the interest of full disclosure: Note that Kaplan Fox appears to be law firm soliciting clients.


----------



## Becca Mills (Apr 27, 2012)

Wow. I don't think I've ever seen a thread attract so many brand new members.

For the time being, I'd suggest everyone pursue this matter through their own already-established relationships with fiancial- and legal-services providers. The internet isn't  always our friend on stuff like this.


----------



## blkvette94 (Jul 17, 2018)

Becca Mills said:


> Wow. I don't think I've ever seen a thread attract so many brand new members.


Unfortunately this was the only site from a google search that even mentioned it when we got the letters. I now think this might be legit.. But is it ever shoddy just reading this letter.


----------



## Becca Mills (Apr 27, 2012)

New members are always welcome.  We must have caught some weird Google wave on this one.

Sent from my SM-G930V using Tapatalk


----------



## David VanDyke (Jan 3, 2014)

Becca Mills said:


> New members are always welcome.  We must have caught some weird Google wave on this one.
> 
> Sent from my SM-G930V using Tapatalk


As many indies have well-developed spidey-senses when it comes to scams, we were probably among the first to discuss it, which gave us natural SEO at the top of the results.


----------



## blkvette94 (Jul 17, 2018)

Two things irk me about this:
1. Imagine this in the real world-- You call 911 and tell them "...that during a 30 day period over 90 days ago. Some one was definitely in my yard. I don't know who or exactly when.. but they were there.. And they may or may not have taken something of value.. I walked the yard extensively and had a very thorough neighbor walk it also and we can't find what they may have taken, so they may have only looked at something.. And I want to file a report on it".  So do you think the local sheriff is going to show up? Let me rephrase that question-- If for some really slow-workday reason the sheriffs do show up-- Will they be taking a statement and filing a report or will they be escorting you back to the station to discuss your use of 911?

2. So this third party agency (who by appearances provides services for small business) got my info. How did they get my info? And who should be held responsible? I know I never gave or got anything to or from Complyright personally. My info was given to the federal government, a major employer (15,000 plus employees), major bank or major tax prep software co. The gov, bank or employer are the only ones who have provided me tax forms. I don't specifically remember giving my tax info to the software company just using their software and efiling federal and state. So where does this company come into play?

2(a) Again put this in the real world-- A neighbor gives me a valuable personal heirloom to hold for a few weeks while they are traveling. Then without my neighbor's permission I send that heirloom to my niece (in another state) to wear and she loses it.  Who do you think the neighbor should and would be mad at? They have never even met my niece..

Oy vey it feels like I have just been told I am going to die. While 100% true and accurate, without any further info it is also 100% useless..

This type of thing seems to be a weekly event anymore. Something needs to change. 

Oh wait. I'm sorry, my apologies to anyone who read this.. I was told I should just contact yet another third party, give them all my info and they will protect me for a year.. so everything is copasetic. right up until day 366...


----------



## debthomasdotcom (Jul 24, 2018)

There are still things that concern me about this site.  The tab says CCVD, nothing about trans union.  The logo of Transunion on the page does not link back to Trans union and the word "support" is not linked to anything either.


----------



## nb11 (Jul 24, 2018)

I believe I might be able to cast a glimmer of light on the ComplyRight Data Breach issue. I received the exact same July 13 letter, however it came addressed through a former company that I owned. Like everyone else, no one, including my former accounting firm had a clue. There was something about efile4biz that rang a distant memory bell. After some searching, I believe the source of the breach may well be those Annual Form Kits which are sold to small employers for producing W2/W3, 1099/1096, and the like. These Kits are sold by a myriad of business form retailers like Staples, OfficeMax, etc. The kit looks similar to this:

https://www.officedepot.com/a/products/812992/ComplyRight-W-2C-InkjetLaser-Tax-Forms/

I have used these kits in the past to produce a small numbers of 1099's or W2's from time to time in certain circumstances. If I remember correctly, these kits started coming equipped with a software program that manages the employee data and printing process to ensure only 1 accurate W3 or 1096 transmittal is produced. It also keeps a local data base which can be accessed in subsequent years. I cannot remember about cloud-based storage, or Employer E-file capability, but I do remember the little package becoming more restrictive and complex from year to year. It's been a few years ago, but I am pretty sure this could likely be ground zero. The letter is probably legit, and those Form packages are ubiquitous for the first few months of the year. You even see stacks of the Kits in the aisle at Sam's Club every January. I suggest this be treated as legit and that everyone check with prior small employers about their use of these Form Kits.


----------



## rbranham (Jul 31, 2018)

I received a letter today too. Exactly the same as everyone else. Have done some research. Asked my husband who is in IT Security but haven't heard back from him yet. Did find a website with some additional verification. It could be real. Here is the website I found:https://krebsonsecurity.com/2018/07/human-resources-firm-complyright-breached/


----------



## Mike 141 (Aug 5, 2018)

I called Complyright to determine who had used their services with my data. They said they would call back in a few days with the info. Well, they called back and said they couldn't give me that information. After a few heated words i slammed the phone down. Less the 5 minutes latter I received the classic IRS robo call threatening me with all manner of  legal actions. A coincidence? .....I doubt it.


----------

