TriNet shares employee PII without controls
My employer’s HR department asked me to validate a coworker’s identification documents and attest that they’re legitimate, for government tax form purposes.
I got an email from our payroll vendor, TriNet, with a link to attest to those documents’ authenticity. Clicking it took me to a page with scans of my friend’s driver’s license and Social Security card without requiring me to log in first. My coworker hadn’t entered their driver’s license number into the form, so I used the scanned image to enter it for them.
That’s pretty messed up. Good thing TriNet didn’t send that link to the wrong person, or they would have shared my colleague’s personally identifiable information with random strangers.
If your company uses TriNet, ask them for more information about this terrible, horrible, no good, very bad process, and how it got past design review. Their whole job is managing private payroll information. They’re not very good at it.