Does payroll outsourcing risk leaking employee data?
There are different ways to manage payroll and many companies outsource theirs. Is this safe, though? In many cases, it is not.
Human error is the primary cause of security breaches and data leaks. In 9 out of 10 cases these happen unintentionally, and the necessity to exchange information between different systems is often at the heart of the problem.
The purpose of the article is to raise awareness about the importance of securing payroll data and to highlight the need for robust security measures to protect this information. The incidents serve as a reminder that organizations must prioritize the security of financial data and remain vigilant in safeguarding it from falling into the wrong hands.
In this article, we’ll discuss the different aspects of payroll security – and also the best strategies to mitigate the risk of data breaches.
Recent payroll data breaches
The occurrence of major payroll data breaches has become much more frequent in recent times. Just in 2023, some of world’s largest payroll processors have been hit:
| Date | Payroll provider | Employees on payroll | Companies affected or possibly affected |
|---|---|---|---|
| 03/2023 | Ceridian | 14,000 | WHSmith |
| 04/2023 | SD Worx | 5,000,000 | Marks & Spencer, Bank of America, Asda, WHSmith |
| 06/2023 | Zellis | 5,000,000 | British Airways, BBC, Boots, Jaguar Land Rover, Iceland, Dyson, Aer Lingus |
See the full list of recent payroll data breaches here.
According to law firm Harper James, a high level of reliance on external payroll operators significantly increases risk of data breaches. That is because running payroll externally often still involves sending emails that contain personal information – and payroll data is particularly valuable, as payroll processes involve making large wire transfers.
Why is payroll outsourcing not secure?
Outsourced payroll providers often collect sensitive employee information directly from employees using web-forms and then share a payment file and payslips via email. This exposes companies and employees to significant security risk because:
- You’re sending your most sensitive data to a third party, where you can no longer control what happens to it
- Data is often shared unencrypted via email, exposing you to the risk of both phishing attacks and accidental leaks
- Data maybe collected via web-forms which store data in violation of GDPR, for example in the United States
Personally identifiable information (PII) can cause harm to employees and to your business if it gets in the wrong hands, in the specific case of payroll information this is particularly true.
A self-serve employee platform like Zelt enables you to eliminate all of these risks and retain full control of your data: Employees can access and update personal information within the platform, and data never leaves the app’s secure environment.
But let’s first see the different types of security breaches to which outsourcing payroll can expose you.
Accidental data breaches
While most companies are no longer printing sensitive data – which is a major security risk, both because documents can get stolen and because printers are often not properly secured – many are still using email to send it either to an external payroll provider or to their employees.
It is a well-documented fact that 90% of data breaches happen via email, and with modern email clients like Google Workspace automatically saving and autocompleting email recipients, sending an email with employee data to the wrong Alex quickly leads to a data breach you may need to report to the ICO.
Your employees’ payroll data in the wrong hands can put your employees at risk of sophisticated scams like identity theft or the recently highly successful safe account scam that led to hundreds of people in the UK losing their life’s savings.
Phishing attacks and payroll fraud
More dangerous than accidental data breaches are phishing attacks, and external payroll provides an ideal target for phishing because a) email is already the default channel of communication, creating an easier way in for the attacker and because b) many different people are involved and can be impersonated by the attackers.
Attackers may impersonate the payroll provider and
- ask the employee to share personal data
- ask the HR admin to share employee data
- ask the employee to return supposedly incorrect salary payments (to their own account)
- send manipulated wire instructions (with their own accounts) to the HR admin
Attackers may impersonate the HR admin and
- ask the employee to share personal data
- ask the employee to return supposedly incorrect salary payments (to their own account)
Attackers may impersonate the employee and
- ask the payroll provider to update their bank account details (with their own account)
- ask the HR admin to update their bank account details (with their own account)
Malicious internal data breaches
Malicious internal data breaches happen when an employee steals sensitive information. While many payroll providers do have some security procedures in place, employee churn within payroll firms is often high, and you simply cannot control what happens to your data when another company is handling it – and with each new environment where your data is located, there’s an added security risk.
Your data protection responsibilities are yours alone
You remain responsible for the security of your sensitive data, subject to requirements such as the GDPR and ICO, even if you’re using the services of an external provider.
Otherwise said, you cannot outsource your data protection responsibilities and have to make sure that the security measures in place at the third-party payroll provider are up to par. If you do not, then data breaches caused by an external party become your liability, too, and employees could sue you if they suffer from the breach, for instance if they lose their savings as a result of the safe account scam.
And if you think that you’ll instantly know when a security breach happens, think again: The average data breach takes 287 days to identify and contain, according to IBM.
You also need to be able to tell employees exactly where and how their data is stored, and be ready to give them access to it. A self-serve employee platform instantly solves this problem, as employees can access their data themselves and modify and delete it if needed.
Why is outsourcing payroll still such a popular option if it’s risky?
If there are so many disadvantages to outsourced payroll management, why is it still such a popular option, you may ask?
Outsourcing payroll was historically the best option: Before we had good payroll software and automation, payroll was a lot of manual work. In that context, outsourcing it to an external provider made sense, which led to the growth of payroll bureaus.
Now, however, externally managed payroll can lead to more manual work because the process is so inefficient, and it also exposes you to additional risk of human error due to duplication of manual data entry and data sharing between multiple people involved in payroll.
In addition to that, the importance of cybersecurity and data protection in the times when payroll services became popular was much lower than today, and cybersecurity attacks were far less sophisticated.
Nowadays, cybersecurity attacks are becoming more and more frequent: Research from Sophos shows that phishing and ransomware attacks have doubled in the last 2 years. In the last year, 66% of companies were attacked by ransomware compared to 37% in 2020. In 90% of the cases, attacks affected businesses’ ability to operate and in 86% they lead to financial losses.
However, with the right HR and payroll software, you can automate your payroll and reduce the manual element of data entry, especially with the introduction of employee self-service – and keep your employee data better protected.
How can you make sure that your payroll data is secure?
If outsourcing payroll comes with so much embedded risk what are better alternatives and how can you make sure your data is safe?
The two main alternatives to outsourced payroll are:
- In-house payroll processing, in which you use your own payroll software and handle all payroll processes yourself – the most secure option
- Hybrid payroll processing, where you use your own software to manage data but delegate payroll processing to a third party that uses your own software.
Below you can see how these options compare to payroll outsourcing:
| Own software | External software | |
| Run payroll yourself | In-house payroll + Full control over process + Reduces emails and spreadsheets + More secure + More automatable – Cannot ask expert | |
| Get external support | Hybrid payroll + Can ask an expert + Manual work is outsourced + Full control over process + Reduces emails and spreadsheets + More secure + More automatable – Slighly higher costs | Outsourced payroll + Can ask an expert – No control over process – No control over data – More emails and spreadsheets – Higher risk of human error – Higher security risk – Much higher costs |
Financially confident can save themselves the additional cost of expert advice and run payroll inhouse.
A hybrid payroll approach is best for companies that are financially less confident and prefer some handholding and active support.
Modern HR and payroll platforms facilitate both interal access for employees to input personal data and external access for accountants using access permissions that are limited to what is required to be done. Zelt provides a single self-serve interface for all employee data:
- Employees can access their data at any point and update it if necessary
- Manage access to systems on a zero-trust approach to minimise the attack vector
- Give third parties such as accountants read-only access to payroll data on a need-to-know basis
- Data never leaves the platform
This way, employees can also access their payslips via a secure system, which helps you avoid printing or emailing payslips (both of which are risky).
Handle your payroll data securely to increase confidence and protect yourself against data breaches
Outsourcing payroll is the least secure option for payroll management, especially if you’re using email to communicate sensitive data – and we don’t recommend that option to anyone.
Managing your payroll in-house is the most secure option if you’re equipped with the right payroll software, as you retain full control over your data and who has access to it. Zelt embeds security into your existing people operations processes and helps you improve the way you handle sensitive data at your company – or even prepare for an ISO 27001 or SOC2 audit.
Frequently asked questions
Why is it important to protect your employee data?
Personally identifiable information (PII) is protected by GDPR and breaches can cause harm to your employees and the company. They may also need to be reported to the ICO and lead to heavy fines – or your employees suing you for failing to protect their data.
Why is payroll outsourcing not a good option anymore?
Employee data is not secure with an outsourced payroll provider, because in most instances it’s shared via email and stored externally, which creates an important risk of accidental data breaches, leaks, and phishing. Additionally, you cannot control what happens to your data once you send it to an external provider, but you remain responsible for any breaches or leaks.
Cyberattacks via email have grown by 600% in the past 3 years, and leaks take on average 287 days to identify and contain. For these reasons, completely outsourcing your payroll to an external provider is no longer a viable option and increases your exposure to cybersecurity risks.
Does outsourcing payroll reduce my responsibility?
No. You cannot outsource your data protection responsibilities, and have to review information security standards of the payroll outsourcing firm like they were your own, which is often not practically possible.
What is the most secure alternative to outsourcing payroll?
Using a HMRC-approved payroll software like Zelt is the best option you have to keep your payroll data safe, whether you want to run payroll yourself or want your accountant to manage it.
A self-serve platform enables your employees to access their data and update it as necessary, and you retain full control over who has access to what. If you’re using a hybrid payroll option, you can give access to external providers (accountants, payroll managers), but the data stays with you and never leaves the platform.
