Plaid, a giant in the finance world that was recently valued at $13 billion, paid people $500 each for providing their employer payroll login details, which, if the people were not authorized by their employer to share the credentials, may run afoul of U.S. hacking laws, Motherboard has learned.
The news highlights the interest in payroll data, with various companies launching products centered around the novel dataset. Last week, Motherboard reported on how a company called Argyle was linked to a series of suspicious websites that offered to pay people for their workplace login details.
A Plaid employee asked people to temporarily share access to their payroll login credentials, according to a copy of the message obtained by Motherboard. Plaid confirmed the offer's legitimacy. Plaid gained access to the accounts under its own name and told Motherboard this was part of a pilot program to build "consumer-permissioned tools that make it easier for consumers to securely share their information digitally."
The message said the login credentials were to be used as part of a Plaid test, and asked participants to specify which payroll processor they were on. In responses to the message, the Plaid employee said participants would be paid $500; a responder also specifically mentioned the payroll service Workday.
Do you know anything else about data gathering practices? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Plaid told Motherboard 12 people participated in the test and that it was vetted by the company's legal counsel. Plaid added that participants' login credentials have since been deleted and that the test was only open to friends and family of existing Plaid employees.
Plaid provides the APIs for apps such as Venmo, Robinhood, and Coinbase to connect to bank accounts. Visa planned to acquire Plaid for $5.3 billion, before both companies called off the deal in January after the Department of Justice sued to stop the acquisition on antitrust grounds. In April Plaid announced a $425 million Series D funding round, with a company valuation of $13.4 billion. Plaid's new "Income" product, currently in beta, offers to "Verify anyone's income and employment easily." The product is designed at least in part to help lenders confirm a person's income.
Companies across the U.S. use a selection of different payroll services, such as Workday or ADP. These let workers and their employers manage and monitor peoples' pay, tax statements, and other workplace information. Generally, workers do not have blanket authorization from their employers to share corporate login credentials, even if the credentials are for accessing their own work accounts.
Riana Pfefferkorn, research scholar at the Stanford Internet Observatory, said this case "absolutely" could fall under the Computer Fraud and Abuse Act (CFAA), the U.S.'s hacking law. Pfefferkorn pointed to a previous case involving Facebook and another company called Power Ventures, which Facebook users shared their login details with. Power Ventures let users login and manage all of their social media accounts at once.
"The company was deemed to have violated the CFAA nevertheless because it didn't have Facebook's authorization to access Facebook's servers," she told Motherboard in an online chat. In this new example, Plaid would be the party violating the CFAA. Facebook was awarded $79,640 in damages.
Pfefferkorn added she thought there wasn't much risk of a CFAA claim against the individual worker, but they "may have violated their employment contract, which probably says something like 'don't share your goddamn login credentials with people outside the goddamn company, you idiot.'"
Motherboard asked Plaid four times if participants in the program had authorization from their employers to share their login credentials. The first time Plaid said it had no way of knowing. The other times, sent via email, Plaid either ignored or did not directly answer the question.
"Consumers have a right to access their own financial information, including their own payroll data like their paystubs, and should have the choice to use and share this data to manage their financial lives," a Plaid spokesperson told Motherboard in a statement. "Consumers already share their payroll data for many important financial services—to qualify for loans, lease cars or apartments, and more. The research program in question was a voluntary and time-limited pilot program to assist Plaid in building consumer-permissioned tools that make it easier for consumers to securely share their information digitally. Plaid was transparent with the 12 participants about the scope of the program, and received explicit informed consent to act as an authorized agent when participants allowed access to their individual account. Plaid is confident that consent-based sharing of credentials for legitimate purposes where the credentials are used only to access the data of the consenting user is not unlawful."
Subscribe to our cybersecurity podcast CYBER, here.