FinSecLedger
Breach Analysis7 min read

Corban OneSource Breach Exposes 1,593 SSNs After Network Hack

HR and payroll vendor Corban OneSource disclosed a breach affecting 1,593 individuals after a September 2025 network intrusion exposed names and Social Security numbers.

By FinSecLedger

Payroll and HR Vendor Corban OneSource Breached -- 1,593 SSNs Exposed

Corban OneSource, LLC, a Florida-based payroll and HR outsourcing firm, disclosed a data breach on February 4, 2026, affecting 1,593 individuals. Attackers gained unauthorized access to the company's network systems on September 9, 2025, and accessed files containing names and Social Security numbers belonging to employees, customers, and vendors of the company.

The breach went undetected -- or at least unresolved -- for over four months. Corban did not determine that personal information was compromised until January 12, 2026, despite identifying the unauthorized access on the day it occurred. That 125-day gap between detection and breach confirmation raises questions about the speed and scope of the forensic investigation.

What Happened at Corban OneSource

On September 9, 2025, Corban OneSource identified unauthorized access to certain systems within its network. The company states it "immediately took steps to secure the network and launched an investigation into the matter." Law enforcement was notified.

The investigation confirmed that file access occurred on September 9, 2025 -- a single day of unauthorized access, not an extended intrusion. But the review of what was in those files took months. On January 12, 2026, Corban determined that the accessed files contained personally identifiable information belonging to 1,593 individuals.

Notification letters went out on February 4, 2026, via U.S. First-Class mail. The legal work was handled by Baker Hostetler, one of the most active law firms in data breach response, which suggests Corban engaged experienced breach counsel early in the process.

The 148-Day Timeline

  • September 9, 2025 -- Unauthorized access detected and contained (same day)
  • January 12, 2026 -- Investigation determines PII was accessed (125 days later)
  • February 4, 2026 -- Consumer notification mailed and Maine AG notified (23 days later)

Total: 148 days from breach to consumer notification.

The 125-day gap between detecting the intrusion and confirming which personal information was involved is the critical delay. For a dataset of 1,593 individuals, the file review itself should not take four months. The delay more likely reflects the broader forensic investigation -- imaging systems, analyzing access logs, determining the full scope of the compromise -- followed by legal and compliance review before notifications were authorized.

Maine's notification statute requires action "as expediently as possible and without unreasonable delay." Whether 148 days is "reasonable" depends on the complexity of the investigation. Given the single-day access window and the relatively small number of affected individuals, regulators may question whether the process could have moved faster.

What Data Was Exposed

The breach compromised names combined with Social Security numbers. The notification letter uses a templated "Breached Elements" field, suggesting different individuals may have had different data elements exposed, but the Maine AG filing confirms the core combination is name plus SSN.

The 1,593 affected individuals include employees, customers, and vendors of Corban OneSource. This is a common pattern in payroll/HR outsourcing breaches -- the company holds PII for its own staff, the client companies it serves, and potentially the contractors and vendors it works with. All three groups were caught in the same data exposure.

SSN exposure creates the standard cascade of risk: new credit account fraud, tax return fraud, identity theft, and long-tail exploitation. The fact that these SSNs belong to people across multiple organizations -- not just one company's employee roster -- makes the breach harder for any single entity to monitor and mitigate.

Why Payroll Vendor Breaches Matter for Financial Institutions

Corban OneSource provides payroll, HR, and benefits administration outsourcing services. Companies like Corban are data aggregators by design -- they collect SSNs, direct deposit information, tax withholdings, health insurance details, and salary data from every employee of every client they serve.

For financial institutions that use outsourced payroll services (many community banks and credit unions do), a breach at the payroll vendor is functionally equivalent to a breach of their own employee records. The payroll provider holds the same SSNs, bank account numbers, and compensation data that sits in the institution's own HR system.

This creates a supply chain risk that mirrors what we see in other vendor breach patterns. The Marquis Software Solutions breach exposed customer data held by a marketing vendor; the SitusAMC breach exposed borrower data held by a mortgage services vendor. Corban OneSource adds a third dimension: employee data held by an HR services vendor.

According to FinSecLedger's breach tracker, vendor and third-party compromises continue to account for a significant share of financial sector data breaches. The common thread: vendors hold sensitive data with less security maturity than the financial institutions they serve.

Remediation and Protections

Corban OneSource is providing affected individuals with a complimentary subscription to Epiq Privacy Solutions ID, which includes:

  • Three-bureau credit monitoring with alerts (Equifax, Experian, TransUnion)
  • Annual three-bureau VantageScore credit report and score
  • SSN monitoring across loan applications, employment records, tax filings, and payment platforms
  • Dark web monitoring
  • Credit report lock/freeze assistance
  • Up to $1 million identity theft insurance ($0 deductible)
  • Unauthorized electronic funds transfer reimbursement up to $1 million
  • Personal info protection (people search site and data broker removal assistance)
  • Identity restoration specialists

The three-bureau monitoring package is notably more comprehensive than the single-bureau monitoring offered in many recent breach notifications. The SAFE Credit Union breach offered only one-bureau monitoring through Norton LifeLock. The difference may reflect Corban's cyber insurance policy requirements or a conscious decision to provide stronger coverage given the SSN exposure.

Affected individuals can enroll at privacysolutionsid.com or call 877-421-8522 with questions. The enrollment deadline is specified in individual notification letters.

Regulatory Considerations

Corban OneSource operates from Clearwater, Florida, but filed notifications across multiple states. The company's multi-state client base means its regulatory exposure extends well beyond Florida's breach notification law.

Under federal law, payroll service providers that handle tax information are subject to IRS Publication 4557 safeguarding requirements. A breach that exposes SSNs used in payroll and tax processing could trigger IRS scrutiny, particularly if affected individuals become victims of tax refund fraud.

For financial institutions whose employee data was held by Corban, the breach may trigger obligations under their own regulatory frameworks. Banks subject to OCC, FDIC, or Federal Reserve examination should expect examiners to inquire about vendor management for payroll services -- an area that often receives less scrutiny than technology vendors but carries equivalent data risk.

The involvement of Baker Hostetler -- a firm that has handled thousands of data breach responses -- indicates Corban is treating this as a serious multi-jurisdictional compliance event. The firm's breach counsel typically coordinates notifications across all required states, manages regulatory communications, and oversees the credit monitoring vendor relationship.

Action Items for Organizations Using Outsourced Payroll

  1. Know your payroll vendor's security posture. When did you last assess your payroll provider's cybersecurity controls? SOC 2 reports are a starting point, but they are backward-looking and attestation-based. Ask for evidence of current security practices: endpoint detection, network segmentation, access controls, and incident response capabilities.

  2. Inventory what data your payroll vendor holds. Your payroll vendor has SSNs, bank account numbers, salary information, health insurance details, and potentially more. Map exactly what data flows to the vendor and whether any of it can be tokenized or encrypted in transit and at rest.

  3. Review your contract. Does your agreement with your payroll provider include specific security requirements, breach notification timelines (measured in hours, not months), indemnification provisions, and right-to-audit clauses? If not, your next contract renewal is the time to add them.

  4. Plan for employee communication. If your payroll vendor is breached, your employees will expect to hear from you, not from a company they may never have heard of. Prepare a communication template that explains the relationship and the steps your organization is taking to protect their data.

  5. Consider payroll data segmentation. Some organizations are moving toward a model where the payroll vendor receives tokenized SSNs rather than raw values, or where sensitive data is encrypted with keys held by the client. These approaches reduce the blast radius of a vendor breach.

Tags:breachvendorpayrollhackingssnmaine

Related Analysis

Corban OneSource, LLC Data Breach Analysis
6 min read
Main Electric Supply Breach Exposes SSNs and Credit Card Data
11 min read
GMS Breach Exposes Credit Cards, SSNs, and Financial Records
11 min read
Lincoln Investment Planning Breach Exposes 703 Clients After Adviser System Hack
9 min read