The hidden treasure in payroll software
When you think cyberattack targets, you think banks, hospitals, e-commerce. Payroll software is rarely mentioned. Yet it concentrates the most sensitive and most monetizable data in an organization.
For more — see our security audit for HR software vendors.
What payroll software contains
A single flaw in payroll software exposes all this data for every employee of every client company.
Why attackers target payroll
Market value: a complete employee record (IBAN + SSN + ID) sells for €50-€200 on dark markets. For payroll software with 10,000 employees, that's a haul worth €500,000-€2M.
Ransomware leverage: the threat of publishing an entire company's salaries is a powerful pressure lever.
Wire fraud: changing an employee's IBAN in payroll software = diverting their salary. Discreet and profitable.
The vulnerabilities we find
APIs without granular access control: an HR manager who accesses the API can retrieve data for ALL employees, not just those in their scope. Endpoints return complete objects (salary, IBAN, SSN) without role-based filtering.
HR documents in public buckets: payslips, employment contracts, ID copies stored in S3 or Supabase Storage buckets without access policies. Accessible by direct URL.
Unrestricted CSV exports: export functionality that allows downloading all data in one click. No volume limits, no export logging, no managerial validation.
Unauthenticated payroll webhooks: payslip modifications, employee additions, IBAN changes via webhooks without signature verification.
The regulatory impact
Payroll data is personal data (GDPR). Health data (sick leave) is sensitive data under Article 9. A leak triggers the obligation to notify CNIL within 72h AND individual notification of each affected employee.
Our HR tech expertise
We regularly audit HR and payroll software. Our external review identifies salary and HR data exposures without ever accessing the data itself. Report within 48h with GDPR implications and remediation plan.
For HR & Payroll vendors
CleanIssue specializes in security reviews for HR, payroll, and recruiting software. If you're building an HRIS, payroll tool, or ATS and want an external review of your exposure before a client audit or security questionnaire, see our offer for HR & Payroll vendors.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
HR Tech & payroll: sensitive data, simple flaws
HR software handles salaries, IBANs and ID documents. Here are the most frequent vulnerabilities.
The 5 most common flaws in payroll and HR software
The exposure patterns most often found in HR and payroll software: weak role separation, open exports, accessible documents, and overly chatty APIs.
Payroll vendor audit: what to review first
The first areas to review in a payroll vendor: access, exports, documents, support, logs, and tenant separation.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.