Author Topic: "ComplyRight" Data Breach?  (Read 29092 times)  

Offline starkllr

  • Status: Arthur Conan Doyle
  • ****
  • Posts: 670
    • View Profile
"ComplyRight" Data Breach?
« on: July 17, 2018, 06:37:10 am »
So I received a letter yesterday from a company called ComplyRight.  It states that:

"We are writing with important information about a recent security incident involving some of your personal information that was maintained on our website.   Your personal information was entered onto our website by, or on behalf of, your employer or payer to prepare tax related forms, for example Forms 1099 and W-2.

I received 1099 forms for 2017 from Amazon (KDP), CreateSpace, ACX and Smashwords, so it could be any of them.  Has anyone else received a similar letter in the past few days?

 
What if you could see everyone else's dreams?
J.J. DiBenedetto | Blog | Facebook | Twitter | Smashwords | Goodreads

KBoards.com

  • Advertisement
  • ***

    Offline Marti talbott

    • Status: Arthur C Clarke
    • *****
    • Posts: 2578
    • Marti Talbott
      • View Profile
      • Marti Talbott's Books
    Re: "ComplyRight" Data Breach?
    « Reply #1 on: July 17, 2018, 06:44:32 am »
    Sounds like a scam to me. I wouldn't trust it especially if they're asking for personal information.
    Based on an actual event: The 1909 Dotsero Train Wreck https://www.amazon.com/gp/product/B084H4Z23C/ref=dbs_a_def_rwt_hsch_vapi_tkin_p6_i5

    Author of over 50 novels   www.martitalbott.com

    bardsandsages

    • Guest
    Re: "ComplyRight" Data Breach?
    « Reply #2 on: July 17, 2018, 07:02:23 am »
    Was it an actual letter in the mail, or an email? ComplyRight is an actual company, but usually these sort of things will be very specific. And I don't see any news about a breach from them on the HR wires.

    Offline starkllr

    • Status: Arthur Conan Doyle
    • ****
    • Posts: 670
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #3 on: July 17, 2018, 07:05:56 am »
    It was an actual letter in the mail.  And it was specific as to dates; it just didn't specify WHICH employer or payor of mine was involved.

     
    What if you could see everyone else's dreams?
    J.J. DiBenedetto | Blog | Facebook | Twitter | Smashwords | Goodreads

    Offline JGold77

    • Status: Dr. Seuss
    • *
    • Posts: 1
    • Gender: Female
    • St. Louis
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #4 on: July 17, 2018, 07:30:03 am »
    I received the same letter.  I'm checking in to it with my employer and can post back here.  I think it's legit because they don't ask for any personal information and they recommend you deal directly with the credit reporting agencies.  Also, the year of monitoring they are offering is through TransUnion.  They were super specific with times and when the breach occurred, they are a legit company, and the letter didn't look or feel scammy.  I'll let you know what I find out from my employer/the tax person who does our payroll stuff.  It's not a bad idea to just add the fraud report to your credit and put a freeze on it if you don't plan on opening any new credit accounts.  It's super easy and most of the time free (depending on where you live). 

    Offline CJax

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #5 on: July 17, 2018, 10:23:05 am »
    I joined this board to let you know I too received a letter. It seems like the production company used for some Maryland area productions is a culprit for the vast majority of my network that received the letters.

    So far I only know of actors that have received this letter but I'm sure others have as well.

    Offline A_L2

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #6 on: July 17, 2018, 01:18:33 pm »
    I also joined this board because I received a ComplyRight letter today. However, it is addressed to my deceased husband. He died long before the "breach" and his estate has long been settled. Looks, acts, sounds like a scam to me.

    Offline tc2001

    • Status: Dr. Seuss
    • *
    • Posts: 6
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #7 on: July 17, 2018, 01:34:10 pm »
    I actually called ComplyRight in Florida.  They did indeed have a data breach and the letter is legitimate.  I had to wait on hold for awhile, too.  Sounds like they are fielding a lot of calls about this. 

    Offline sherylrhoades

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #8 on: July 17, 2018, 01:36:01 pm »
    I got the same letter. I sent an email to the company directly to ask them if it is a scam, and I got an auto reply email saying they are looking into my inquiry. I also looked at their website and press release page and no information about a breach is mentioned.

    I will let you know what their response is, but everything points to verifying with credit bureaus to see if there's anything going on, worth looking at just in case.

    Offline SCone

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #9 on: July 17, 2018, 01:55:32 pm »
    I received this same letter today.  It seems odd that it would be so vague - and mention a 1099 and a W-2.  I don't understand who they represent that I would have accounts with.  I would appreciate knowing any info anyone finds out.
    Thank you.

    Offline whittles

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #10 on: July 17, 2018, 02:15:24 pm »
    I joined too because I just received the same letter dated July 13, 2018 that on May 22 there was a potential issue involving the Comply Right Website.
    Legit and should I follow up with them?

    Offline TTrac

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #11 on: July 17, 2018, 02:23:56 pm »
    ComplyRight is a software vendor that many CPA's and other companies across the country use to prepare client and employee 1099's and W-2's. My CPA in Tennessee informed me about the breach and I would be getting a letter. It arrived yesterday.

    Placed a fraud alert on my credit report and will sign up for the credit monitoring.
    « Last Edit: July 17, 2018, 02:25:59 pm by TTrac »

    Offline mtswan4

    • Status: Dr. Seuss
    • *
    • Posts: 3
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #12 on: July 17, 2018, 02:42:20 pm »
    I also joined this board because I received a ComplyRight letter today, also dated 07/13/2018. I did contact my previous employer who stated they "havent heard anything either but I do know that is who powers e-file4biz that we use to file our ACA reports. We will look into it."

    I did some research and found a  similar letter using the same format at:
    https://www.doj.nh.gov/consumer/security-breaches/documents/alpha-industries-20171002.pdf

    Having previously worked at CFPB (Consumer Financial Protection Bureau), and judging by the stamped received dates, it appears the attachment was reported to, and acknowledged by, both the NH State DOJ (Dept. of Justice) and CFPB on 10/30/17 as a result of a consumer complaint to CFPB.

    I am in the process of contacting CFPB, requesting credit reports, and placing fraud alerts.
    « Last Edit: July 17, 2018, 02:46:52 pm by mtswan4 »

    Offline Tillytoo

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #13 on: July 17, 2018, 03:32:42 pm »
    Hello All,

    My father (87) received a similar letter from Complyright dated 7/13/18 stating there was a recent security incident involving some of your personal information maintained on our website.  It continues, Your personal information was entered onto our website by, or on behalf of, your employer or payer to prepare tax related forms, i.e. Forms 1099 and W-2. My father is on social security and has a pension through his union hall.  I contacted them and they said they had never heard of Complyright and was not notified of a breach by the company they do use.  I also do his taxes on CreditKarma, but upon contacting them, again they have not heard of this company and have not had a breach.  These are the only 2 possibilities I have used on his behalf for a breach to have occurred.

    The return address on his letter is from P.O. Box 6336, Portland, OR.  The letter states that because of the breach they are offering a 12 month credit monitoring and identity protection service through TransUnion Interactive.  You have to log onto a website they give you and enter a 12 letter activation code and must be done by 10/31/18. 

    They give a phone number if you have any questions (844-299-7772) but when I called they only took my name and phone number and said someone would call me back.  This sounded like a call center to me. 
    I just really feel like although it looks so legit and throws out the TransUnion name, I really feel like this is a sophisticated scam.  I am tomorrow going to contact our State District Attorney's office to see if they have any knowledge of this. 

    I hope we all get to the bottom of this. 

    Offline blkvette94

    • Status: Dr. Seuss
    • *
    • Posts: 3
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #14 on: July 17, 2018, 03:50:22 pm »
    Some things to look at with this type of apparent scam-
    1. The company claims to be from Oregon. I quick search of the official Oregon Sec of State business name search shows no such name--  Nor anything derivative.
    2. Going to Trans union you will find their web site is name "true identity" there is NO "MY" in the name
    3. You may find another such engineered letter for social engineering fraud. They use a real person Helen Goff Foster.  A quick linked in check shows different duty titles. And this letter also direction to near miss website (it sends you to transunion monitoring dot com.. There is no legit trans union site of this name).
    4. In the comply right letter under the "what we are doing" paragraph--- it states after thorough investigation my info may have been viewed on the website.... no verification of it being downloaded. Really, what reputable cyber thief looks at my info without downloading it to monetize it?
    5. It comes from Rick Rodis "officer". Really? what kind of title is that?

    As always the devil is in the details.. So slow down, read these kind of letter backwards, go to the actual website-not just the one's provided.

    Offline Betsygee2018

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #15 on: July 17, 2018, 04:04:33 pm »
    It looks like a lot of us got the same letter.  Im going to be doing some more research on this. Ill look forward to hearing if anyone here gets a definitive answer.

    Offline tc2001

    • Status: Dr. Seuss
    • *
    • Posts: 6
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #16 on: July 17, 2018, 04:13:56 pm »
    You can do what I did and call ComplyRight tomorrow to get verification.  I realize that no one should believe one person outright, so I do encourage to call them tomorrow and get verification about the data breach.

    Offline GuyInEastBay

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #17 on: July 17, 2018, 04:23:42 pm »
    Some things to look at with this type of apparent scam- ... As always the devil is in the details.. So slow down, read these kind of letter backwards, go to the actual website-not just the one's provided.

    I too got the same July 13, 2018 letter from ComplyRight. It arrived yesterday. And I agree that it's wise to be careful with these sorts of letters. However,

    1. If you go to ComplyRight.com, they're really clear that their main offices are in Florida and California. There's no mention of the Oregon office, though my letter describes the office as a "Return Mail Processing Center." So I'd guess it's an outside company that ComplyRight hires to handle these sorts of letters. https://www.complyright.com/about/contact-us

    2. Transunion lists myTrueidentity.com as one of their websites in this PDF file from their transunion.com website:
    https://www.transunion.com/.../solution-data-breach-services-reactive-br-0317.pdf

    3. Maybe there have been scams that build off of TransUnion's name, but I'm not sure, and frankly don't think this is one of them. At least, not at the moment.

    4. "Really, what reputable cyber thief looks at my info without downloading it to monetize it?" I think what they're saying is they know the webpage/site was accessed, but they don't know exactly what info was downloaded, scraped, or otherwise taken. Some hackers will limit their data downloads to a certain size or time to avoid drawing too much suspicion to themselves. Also, ComplyRight may just be using some legalese here to avoid, I don't know, appearing more careless than they already appear.

    5. "It comes from Rick Rodis "officer". Really? what kind of title is that?" The name on my letter is Rick Roddis (with two "d"s). Maybe this is a really elaborate scam, but there is a LinkedIn page for Roddis: https://www.linkedin.com/in/rickroddis/
    And his name appears in this press release from several months ago (along with appearing in a bunch of other Google search results):
    https://www.prnewswire.com/news-releases/complyrights-efileacaformscom-and-smart1095com-join-forces-to-simplify-mandatory-aca-reporting-for-employers-300573412.html
    I'd say the term "officer" reflects either hurried and careless writing, or some sort of legal-department wording.

    Also, I emailed [email protected] to ask if this letter was for real. I got a reply saying yes it is. So again, it might be part of a scam, but that's a REALLY elaborate scam that they've been preparing for a year.

    So I'm going to take some of the actions they suggest.
    « Last Edit: July 17, 2018, 04:34:01 pm by GuyInEastBay »

    Offline David VanDyke

    • Status: Arthur C Clarke
    • *****
    • Posts: 2437
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #18 on: July 17, 2018, 06:05:03 pm »
    Is it possible that a scammer got ahold of the real letter and created some fake letters with slightly different items for phishing/social engineering? Such as Roddis/Rodis, and so on? People who check, like here, might be assured it's a real letter-but they actually got the fake letter made up to look like the real one?
    « Last Edit: July 18, 2018, 12:52:53 am by David VanDyke »

    Offline tc2001

    • Status: Dr. Seuss
    • *
    • Posts: 6
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #19 on: July 17, 2018, 06:12:58 pm »
    A search for "PO Box 6336" results in a lot of data breach letter templates from US state governments (which also list the myTrueIdentity website).  So, it is possible someone could be using one of these templates.  However, what is the gain by sending us to a legitimate site for credit monitoring? 

    Also, a whois search for the registered owner of "mytrueidentity.com" website shows that it is Transunion.
    « Last Edit: July 17, 2018, 06:19:18 pm by tc2001 »

    Offline David VanDyke

    • Status: Arthur C Clarke
    • *****
    • Posts: 2437
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #20 on: July 18, 2018, 12:54:38 am »
    Maybe they had to comply with the law to send out these letter, They assigned some intern or flunky or outsourced it and they've done a bad job of composing the letter.


    Offline patty2005

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #21 on: July 18, 2018, 06:51:48 am »
    I got the exact same letter as everyone has described here.  I called the number on the letter and they couldn't/wouldn't give me the name of the employer who allegedly entered my information.    "ComplyRight" asked for my phone number but I didn't give it to them.  I recently changed jobs and neither my current boss nor my previous one know anything about ComplyRight.   None of my current or past fellow employees got this letter as far as I know.  I tried to call the company in Florida but it goes to a busy signal. 

    Coincidentally, someone tried to use my credit card this morning, so I decided to check out "mytrueidentity.com" which is in the letter.  I wasn't completely sure it was real, but there is something called "mytrueidentity" on the Transunion website, so I went ahead and entered my data into the mytrueidentity.com site.  It knew my credit score accurately and it also knew how much total debt I have, so it looked pretty legit.  I put a lock on my Transunion account using that site.  It was not previously locked.   However, I was still uncertain so I called Transunion.  The guy didn't know anything about mytrueidentity.com and told me it was not associated with Transunion as far as he could tell, but then he asked if I wanted to lock my account.  I said "YES" and he said "Oh, it's already locked".  He also told me that the mytrueidentity.com website must actually be associated with the Transunion company for them to be able to lock my Transunion account.

    SO, I still don't know about the origin of the letter, but the mytrueidentity.com website seems to be a legitimate subsidiary of Transunion.

    bardsandsages

    • Guest
    Re: "ComplyRight" Data Breach?
    « Reply #22 on: July 18, 2018, 07:03:26 am »
    However, I was still uncertain so I called Transunion.  The guy didn't know anything about mytrueidentity.com and told me it was not associated with Transunion as far as he could tell, but then he asked if I wanted to lock my account.  I said "YES" and he said "Oh, it's already locked".  He also told me that the mytrueidentity.com website must actually be associated with the Transunion company for them to be able to lock my Transunion account.

    Are you sure you weren't talking with Amazon customer service? lol

    Offline tc2001

    • Status: Dr. Seuss
    • *
    • Posts: 6
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #23 on: July 18, 2018, 07:58:35 am »
    I got the exact same letter as everyone has described here.  I called the number on the letter and they couldn't/wouldn't give me the name of the employer who allegedly entered my information.    "ComplyRight" asked for my phone number but I didn't give it to them.  I recently changed jobs and neither my current boss nor my previous one know anything about ComplyRight.   None of my current or past fellow employees got this letter as far as I know.  I tried to call the company in Florida but it goes to a busy signal. 

    I had to call 3 times to get through to ComplyRight in Florida.  First 2 times, I also got the busy signal, but on the 3rd attempt, I reached a receptionist who then transferred me to someone that confirmed the breach.

    I get the feeling ComplyRight is doing their best to keep this breach under wraps.

    Offline SteveM

    • Status: Dr. Seuss
    • *
    • Posts: 1
      • View Profile
    Re: "ComplyRight" Data Breach?
    « Reply #24 on: July 18, 2018, 09:21:00 am »
    I got the letter yesterday (and so did my brother, who i work with and another coworker that I know of) and so was eager to contact Complyright directly today, especially after seeing this messageboard about it. I called a few times and after being transferred to the receptionist I kept getting a busy signal. So I went to their website and got their contact email. After 5 or 10 minutes, this reply popped up in my email from [email protected]com:

    "Yesenia Cervantes (ComplyRight)

    Jul 18, 09:07 MST

    Steve,
    The letter is valid. Please call the support# provided for further assistance.
    Regards,
    Letty Vasquez
    ComplyRight"

    A search of letty vasquez and yesenia cervantes both show them as working for complyright. It seems to be legit as far as I'm concerned! Thoughts?

    KBoards.com

    • Advertisement
    • ***