The latest data breach involves the sensitive salary and tax data contained on W-2 forms. Nadya Lukic/E+/Getty Images

Hackers exploited an external online portal provided to ADP customers to get the sensitive salary and tax data contained on W-2 forms. Nadya Lukic/E+/Getty Images

Identity thieves have their hands on a new batch of personal and tax data after hacking the payroll outsourcing company ADP.

The information is from W-2 forms, the documents workers get from their employers in late January or early February so they can file their annual tax returns with the Internal Revenue Service and state tax departments.

Now crooks have all they need to beat those filers to the punch and submit fake 1040s claiming fraudulent tax refunds.

Personal data used to get into ADP

Krebs on Security website, which first reported the ADP breach, also obtained a copy of a letter that affected U.S. Bank employees received regarding the security issue.

Unauthorized access to the workers’ tax and employment data occurred, according to the U.S. Bank letter, “because ADP offered an external online portal that has been exploited.”

Basically, the crooks didn’t break into the payroll service provider’s site, but rather used workers’ confidential personal information that they had obtained from other sources to register as the workers at one of the firms using the ADP customer portal. Once connected, they simply viewed or downloaded the W-2s.

That same tactic of getting individuals’ information — names, birth dates and Social Security numbers — elsewhere and then breaking into a site with additional data was used by identity thieves who hacked the IRS’ Get Transcript online application. Around 724,000 taxpayer accounts ultimately were compromised.

Small, but possibly costly, breach

Both U.S. Bank and ADP said the actual number of affected employees was limited, but did not reveal exact numbers. ADP also told Krebs that the same fraud was used against “a very small subset” of ADP’s total customers this year.

Of course, the minuscule possibility means nothing if you’re in that small group that was hacked. Once your identity is stolen, you could face big problems.

Tax moves to combat ID theft

On the tax side, if you know or even just suspect that your ID has been stolen, the IRS recommends you send it Form 14039, Identity Theft Affidavit. This puts the agency on alert for your Social Security number and other information that could show up on a fake return.

If a criminal does file a fake return pretending to be you, file your real tax return on paper, attaching a copy of the Form 14039 with your legitimate filing. Also watch for any follow-up correspondence from the IRS about your real or possible fake returns and respond immediately.

You also need to keep an eye on your other financial data, such as your credit reports. You can check those for free at mybankrate.com.

You can keep up with tax news, both expenditures and collection efforts, and find filing tips, calculators and more at Bankrate’s Tax Center.

And be sure to follow me on Twitter: @taxtweet.