2023-07-20 Paycom Software, Inc. Cybersecurity Incident

Page last updated on April 11, 2024

Paycom Software, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-07-20 17:23:27 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-05-31
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-07-20

Paycom Software, Inc. filed an 8-K at 2023-07-20 17:23:27 EDT
Accession Number: 0001193125-23-190562

Item 8.01 Other Events.

On May 31, 2023, Progress Software Corporation (the “Vendor”), a vendor to a subsidiary of Paycom Software, Inc. (the “Company”), disclosed a previously unknown vulnerability in the Vendor’s MOVEit file transfer software (“MOVEit”) that could enable malicious actors to gain unauthorized access to sensitive files and information. MOVEit is used by thousands of organizations for secure data file transfers and is now the subject of a widely reported cybersecurity event impacting numerous organizations and governmental agencies around the world (the “Vendor Incident”). The Company used MOVEit for a limited set of secure file transfers supporting client services and with certain outside vendors supporting internal operations.

The Company promptly deployed cybersecurity defenses, including patching the software according to the Vendor’s published protocols and launching an internal investigation in partnership with outside independent cybersecurity forensic experts. Currently there is no indication that the Company’s HR and payroll software application was impacted. There has been no interruption to the Company’s systems, services or business operations.

As of the date of filing this Current Report on Form 8-K, the Company confirms that, as a result of the MOVEit vulnerability, an unauthorized third party downloaded copies of files from the MOVEit server, gaining access to data of certain Company clients and their employees, including personally identifiable information of less than 0.4% of all persons on behalf of whom the Company stored client data during the year ended December 31, 2022. Compromised data included personally identifiable information in employee records of approximately 127 former and current clients, or approximately 0.7% of the Company’s client base (based on parent company grouping) as of December 31, 2022. The unauthorized third party also gained access to a limited number of Company files stored on the MOVEit server, including certain employee records containing personally identifiable information. The Company has engaged a third-party computer forensics team to verify the scope of the Vendor Incident and is in the process of contacting affected clients directly.

The Company is continuing to evaluate the impact of the Vendor Incident, including certain remediation expenses and other potential liabilities. The Company does not currently believe the Vendor Incident will have a material adverse effect on its business, operations or financial results.

Company Information