MyPayrollHR a now-defunct cloud-based payroll processing company based in the state of New York, abruptly ceased operations last week after stiffening employees at thousands of companies. The ongoing debacle, which allegedly involves malpractice from the CEO of the payroll company, resulted in countless people dropping money from their bank accounts and leaving almost $ 35 million in salary and tax payments in legal limbo.
Contrary to many stories here about cloud service providers being blackmailed by hackers for ransomware payments, this snafu appears to have been something of an inside job. Still, it's a story worth telling, in part because much of the media coverage of this event so far has been somewhat incoherent, but also because it should serve as a warning to other pay providers about how quickly and massively things can go wrong when a reliable partner gets unexpected. junk.
Clifton Park, NY-based MyPayrollHR ̵
This communication came after employees of companies that rely on MyPayrollHR to receive direct deposit of the two weekly payday loans discovered their bank accounts were instead charged for the amounts they would normally expect to accrue in a given pay period.
To make matters worse, many of the employees found that their accounts had been cleared for two pay periods – one month's pay – and left their bank accounts dangerous in red.
The rest of this post is a deep dive into what we know so far about what happened and how such an occurrence in the future can be prevented for other payroll companies.
A $ 26 MILLION TEXT FILE
Understanding what's at stake here requires a basic foundation on how most of us get paid, which is a surprisingly welded process. In a typical scenario, our employer works with at least one third-party company to ensure that every second Friday what we owe to our bank account is deposited.
The company that handled the MyPayrollHR process is a California company called Cachet Financial Services . Every other week for more than 12 years, MyPayrollHR has sent a file to Cachet telling it which employees' accounts to which banks should be credited and how much.
According to interviews with Cachet, the process worked like this: MyPayrollHR would send a digital file documenting deposits made by each of these client companies that released the amounts owed to each customer's employees. In turn, these funds from MyPayrollHR client companies will then be deposited into a settlement or inventory account maintained by Cachet.
From there, Cachet would take these sums and pay them to the bank accounts of people whose employers used MyPayrollHR to manage their double-weekly payroll.
But according to Cachet, something strange happened with the instruction file MyPayrollHR sent in the afternoon of Wednesday, September 4, which had never happened before: MyPayrollHR asked that all of the client's salary dollars be sent not to Cachet's holding account, but instead to an account with Pioneer Savings Bank which was operated and controlled by MyPayrollHR.
The total amount for this mass salary deposit was approximately $ 26 million. Wendy Slavkin general counsel for Cachet, told KrebsOnSecurity that her client then inquired with Pioneer Savings about the horrific deposit and was told that MyPayrollHR's bank account was frozen.
Nevertheless, the payroll filed by MyPayrollHR instructed financial institutions for its various clients to fetch $ 26 million from Cachet's holding account – even though the regular deposits from MyPayrollHR's client banks had not been made.
REVERSING THE REVERSAL
In response, Cachet sent a request to reverse that transaction. But according to Slavkin, the first chargeback request was incorrectly formatted, and so Cachet sent just after a properly coded chargeback request.
Financial institutions are intended to ignore or reject payment instructions that are not compartmentalized with the precise formatting required by the National Automated Clearinghouse Association (NACHA), the nonprofit organization that provides the backbone for the electronic movement of money in the United States. But Slavkin said that a number of financial institutions ended up processing both chargeback requests, which means that a good number of employees at companies using MyPayrollHR suddenly saw a month's worth of wages deducted from their bank accounts.
Dan L & # 39; Abbe CEO of the San Francisco-based consulting firm Granite Solutions Groupe, said the mix has been massively disruptive to his 250 employees.
"This caused a lot of chaos for employers, but employees were the ones who were really affected," said Abbe. "This is very unusual because we do not even have the opportunity to withdraw money from our employees' accounts."
Slavkin said that Cachet was able to reach CEO of MyPayrollHR – Michael T. Mann – by phone on the evening of September 4, and that Mann said he would call back in a few minutes. Never man the call, Not long after that, MyPayrollHR told clients that it was going out of business and that they should find someone else to handle their pay rule.
In short, many were affected by one or both paychecks to  and Facebook to vent their anger and confusion at Cachet and on MyPayrollHR, but Slavkin said Cachet eventually decided to cancel the previous payment reversals, leaving Cachet on the hook for $ 26 million.  "What we have done since then has reached out to 100+ receiving banks to get them to reject both reversals," Slavkin said. "So most – if not all – employees affected by this will, within the next day or two, get all their money back."
THE VANISHING MANN
Cachet has since been in contact with the FBI and with federal prosecutors in New York, and Slavkin said that both are now investigating MyPayrollHR and the CEO. On Monday, New York Governor Andrew Cuomo urged the State Department of Financial Services to investigate the company's "sudden and disturbing shutdown."
$ 26 million made against Cachet was not the only scam that was apparently carried out by MyPayrollHR and / or its parent company: According to Slavkin, the now defunct New York company also founded National Payment Corporation (NatPay) – the Florida-based company that handles tax deductions for MyPayrollHR customers – worth more than $ 9 million.
In a statement delivered to KrebsOnSecurity, NatPay said it was notified late last week that the bank accounts of MyPayrollHR and one of its affiliates were frozen, and that the notice came after the payment files were processed.
"NatPay was informed that MyPayrollHR and Cloud Payroll may have been victims of fraud committed by the holding company ValueWise, whose CEO and owner is Michael Mann," NatPay said. "NatPay immediately took steps to control the orderly process of recovering funds [and] has more than adequate insurance to cover actions with trial or real fraud."
Requests for comment from various managers on both MyPayrollHR and its parent company ValueWise Corp were unanswered and the site of the latter is now offline. Several former MyPayrollHR employees reached through LinkedIn said none of them had seen or heard from Mr. Mann in days.
Meanwhile, CEO of Granite Solutions Groupe L & # 39; Abbe said some of his employees have seen their bank accounts credited back the money taken, while others are still waiting for these reversals to come.
"It varies a lot," said L & # 39; Abbe. "Every bank treats differently and everyone's relationship with the bank is different. Others have absolutely no money right now, and have a hell of a time with their bank and think this is the result of fraud. Things are starting to settle down now, but many employees are Still in limbo with its bank. "
Cachet Financial, for its part, says it will look at solutions to better detect when and if clients' instructions to finance settlement accounts change suddenly.
" Our system is excellent at protect against hackers outside, "Slavkin said." But when it comes to something like that, it surprises everyone. "
Tags: Cachet Financial Services, Dan L & # 39; Abbe, Granite Solutions Groupe, Michael T. Mann, mypayrollHR, National Payment Corporation, Pioneer Savings Bank, ValueWise Corp., Wendy Slavkin
You can jump to the end and leave a comment. Pinging is not allowed at this time.