Skip to content

Security Notification – Action Required to Protect Your Accounts

We would like to inform you about a recent issue that has affected a few SimplePay Accounts.

What happened

We’ve identified that cybercriminals accessed specific employee Self-Service, as well as Admin user accounts, using compromised passwords stolen from external platforms. Once logged in, they attempted to submit fraudulent information update requests to employee banking details, and made changes to employee bank accounts as admins, in a few cases.

What you need to know

We want to reassure you that SimplePay’s systems have not been breached. Our database remains secure and completely isolated, and all passwords are stored and irreversibly encrypted. The affected passwords were compromised elsewhere, not within SimplePay.

What we recommend

To reduce the risk of fraudulent account activity, please take the following precautionary steps:

  • Ensure that your staff enable 2-Factor Authentication (2FA) for all users on your account.
  • Ask all users to reset their passwords to strong, unique ones that are not reused on other systems.

We ask admin users to review and verify any information update requests directly with employees before approving them. Employees should also report any unexpected or suspicious notifications to their employer immediately.

Additionally, admin users should double-check employee details. This can be done in two ways:

  • When bulk-finalising, the system displays a pre-finalisation page that shows you which employees have had their account details changed, if any.
  • When finalising payslips individually, you can view any recent changes under Employees’ Recent Activity.

What’s next

Our Information Security Team is continuing to investigate these incidents – in cooperation with the authorities. If we identify any patterns or additional risks, we’ll notify affected customers directly. While we always recommend using 2FA, we’re immediately implementing additional security measures for customers who don’t have 2FA enabled yet.

While our platform remains secure, these cases are a good reminder of the importance of password security. Users should set complex passwords, avoid reusing passwords across systems or reusing previous passwords, and reset passwords periodically.

Thank you for your ongoing attention to security and for helping us protect your data.