February 13, 2019
February 2019 Security Incident
In early February 2019, our TRAXPayroll system had unauthorized access. In the spirit of openness that’s one of the foundational BambooHR values, we wanted to let you know what happened and the extra measures we’re taking to prevent this kind of incident from reoccurring.
On February 13, 2019, we learned that an intruder gained entry to the TRAXPayroll network using stolen credentials. We immediately terminated all access to the system, but not before the intruder was able to run reports on a handful (fewer than 1%) of our clients. Due to our internal security measures, most of the sensitive data for the affected customers remained protected. However, some data, including a combination of names and Social Security numbers, were made visible. No bank account data was accessed at any time during the intrusion and no client credentials were compromised.
We were quickly able to identify and reach out to the affected customers to alert them and advised them on precautionary measures. We’ve also helped them with notification obligations and offered free credit monitoring to their employees.
We detected the intrusion, wiped the entry point system, rotated all credentials, and added additional layers of authentication. No subsequent unauthorized access attempts were successful. We believe we’ve identified all data exposures and isolated them to the reports mentioned above. Several extra security protocols have been added since the incident and we’re studying even more for future implementation.
We have always had a serious commitment to security at BambooHR, and that extends to our TRAXPayroll division. While no system is impenetrable, it’s nevertheless incredibly upsetting when it happens to your system. We don’t consider this a trivial matter in any way, and we deeply regret the impact it’s had on our customers—those directly affected and any others who might also be concerned. At the same time, we are extremely confident in our security team and the security of our system. We hope this information reassures you we’re doing everything we can to minimize the risk of any future issues.
Please contact us at any time via email: [email protected]