Forgot your password?
typodupeerror
Security IT

ADP Experiences Security Breach 53

Posted by samzenpus
from the check-out-the-stubs dept.
wiredmikey writes "HR and Payroll outsourcing giant Automatic Data Processing, Inc. (ADP) experienced a system intrusion, the company announced Wednesday. ADP said it was investigating and taking measures to address the impact of a system intrusion that occurred with a client at Workscape, a benefits administration provider that ADP acquired in August 2010. ADP has also been actively cooperating with law enforcement to determine the cause of this incident and to assist authorities in identifying and apprehending those responsible. ADP added the following in a statement: 'Because this incident is the subject of an ongoing law enforcement investigation, ADP cannot disclose any additional details at this time. ADP will provide further updates once information that can be made public becomes available, and we will continue to communicate with all affected parties as appropriate.'"
This discussion has been archived. No new comments can be posted.

ADP Experiences Security Breach

Comments Filter:
  • It almost seems like it would be easier to maintain a list of which major payment systems haven't been breached (that we know of). Seriously, if this was as wide open as Citibank and Sony, then we have to assume that just about everybody will be this easy to pwn.

    • Re: (Score:3, Insightful)

      by Subratik (1747672)
      I thought this would be a good idea at first, until I realized that most of the companies still on the whitelist would just become targets....and just because they haven't gotten hacked yet, doesn't mean they have good security measures.... Frankly, I think companies who have gotten hacked would be better alternatives considering the CEOs probably dont ever want to mess around with budget cuts when it comes to infrastructure security.... ""Looking at you, Sony"
      • >> most of the companies still on the whitelist would just become targets

        Good. Then staying on the white list will be ever more valuable.

    • I found a chipmunk nesting in the box of Krugerrands under my bed, next to my gun safe; but there were only a few nibbles, and no material appears to have been removed.
      • by ginbot462 (626023)

        Sooooo, by your analogy --> you work payroll for a company? Must be a grizzled old miner company. dagnabit.

    • by trum4n (982031)
      I have a feeling somebody foreclosed on the wrong hacker. That's my $0.02.
  • Not exactly ADP (Score:5, Informative)

    by erroneus (253617) on Thursday June 16, 2011 @08:27AM (#36461324) Homepage

    The article makes grand mention of ADP, but the the affected systems are far less significant than if it were ADP itself. I don't know what ADP's services are like now, but I recall a time when my accounting people required MSIE and ActiveX controls to access ADP's services. That alone made me worry extensively about ADP's notion of security. But reading the article, I see that it's something else entirely.

    ADP acquired Workscape in August 2010. Workscape provides solutions including talent management, benefits administration and employee communications for hundreds of organizations and millions of workers around the world.

    The compromise was at Workscape which I imagine had not integrated its network with ADPs larger network. The organization appears not to have much to do with payroll or money services at all.

    • If I remember correctly, as of a year ago ADP still uses MSIE and ActiveX. Fixing someones payroll machine is... fun?
      • by Anonymous Coward
        From an end-user perspective, their systems are a complete bag of shit. Nuff said.
      • by FatAlb3rt (533682)
        Our HR lady needed to have a digital cert installed on her machine to gain access. Their site is usually very slow to navigate and I personally hate the design - very capable, but lots of wasted time and clicks to do it.
      • MSIE is still the recommended browser although a lot of the internet applications are also tested against FF, Chrome, and Safari. And ActiveX controls have been removed from the equation as the applications have matured over the years. There might be a old application out there some where using ActiveX but I have not seen any in the applications coming from corporate IT.
        • by EXrider (756168)
          I just helped (and by help, I mean did way more than I should've had to) ADP and our HR department migrate our time & attendance from the ancient 16-bit POS that is eTime, to their Workforce Now hosted product; and our payroll from PC Payroll to whatever it's new web hosted equivalent is. I get a lot of complaints that it's slow as hell and from what I've observed, it does not work in Chrome or Firefox. The whole implementation project was poorly managed by them, and pretty much everything short of a
          • ADP like any other big coporation has grown through global acquisitions of smaller companies that provide the same type of services and they inherit a wide range of applications and data that must be consolidated. It takes time to do this and some people will need to keep using the old systems until it can be integrated with the rest of the systems. New or exisiting customers do not have this problem. ADP also relies heavily on Salesforce integration which takes some decision making power away from the inte
            • by EXrider (756168)

              Some corporate payroll systems also have their own requirements and limitations on how their internal systems interface with a 3rd party which can create a whole other set of problems.

              Yeah, I understand that, but we were using ADP's payroll system (and T&A), not our own, or some other 3rd party solution. You would think that it would be pretty straightforward since it's all involving ADP's own products. At one point our "Implementation Specialist" realized that not only had they forgot to implement

          • ...everything short of a complete disaster with people's PTO and Vacation accruals getting screwed up...

            We switched to ADP a little over a year ago. They've still not gotten the PTO problems worked out, and if I want to know how much I have, I have to contact HR and have them manually go through and work it out by hand.

            Sad to say, I actually sometimes miss the old way of filling out an Excel sheet for my time card...it was painful and awful, but at least it worked.

    • I recall a time when my accounting people required MSIE and ActiveX controls to access ADP's services

      My company uses it and it still does. I hate it so much. Having to open up IE to log in and use it is like casting a spell to open a portal into Satan's asshole.

      • by erroneus (253617)

        Wow... yet another goatse.cx troll... it was wasn't it? The description certainly reminded me of it.

    • by Ucklak (755284)

      It's a closed system so MSIE and Active X doesn't matter. The troubling part is the RSA tokens that were hacked.

      The client access is a 3 tier login.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I have fairly extensive knowledge of the ADP product set, hence my use of the coward..

      The platform you are talking about is actually ADP Freedom, a somewhat ambitious product developed in the US and now only used by the UK arm. A certificate is required for all admin accounts, same with the ActiveX components. The biggest single issue is that the Activex controls have to be installed directly from a dedicated site, there was no MSI package available, although I believe this is being considered. As such each

    • by thesteveco (20012)

      Having worked at a financial institution I can say that you might be surprised to see how loosely some connections to vendors can be, much less partners or acquisitions. As much as I like to hope that ADP raises the bar, I've seen some rather terrifying things in the past in the way systems can be interconnected.

      RSA, BofA, Citi, Lockheed, now ADP... it's getting really scary out there. I'm rapidly losing any faith in the security of my information, whether they actively or passively have my consent to sto

  • It was clearly 'Anonymous'. Or has Sony trademarked that excuse?
  • Somebody must be really wanting to roll out a killswitch, protect all that wide open US electrical grid, rod go up/down via modem at the nuclear plant, telephone exchange and your brand new networked power meter.
    How many millions will be handed over to contractors and any foreign entity with a security clearance to fix a secret wireless communications channel with remote secure control to any device that speaks "internet"?
    Some 'admin' having a bad script kiddies day with Microsoft again, triggers a state/
    • A kill switch is just about the dumbest idea ever. As soon as it's made, it will then be every bit as vulnerable as all of these systems that are getting hacked. It would become the quickest, easiest massive DoS attack to pull off, and it would give all of the hacking/cracking community a clear and obvious high value target. Given a dedicated enough team of black hats, it's not a matter of if it gets compromised, its a matter of how long.
      • by tlhIngan (30335)

        A kill switch is just about the dumbest idea ever. As soon as it's made, it will then be every bit as vulnerable as all of these systems that are getting hacked. It would become the quickest, easiest massive DoS attack to pull off, and it would give all of the hacking/cracking community a clear and obvious high value target. Given a dedicated enough team of black hats, it's not a matter of if it gets compromised, its a matter of how long.

        A DoS isn't a bad thing compared to getting silently intruded. And DoS

    • Properly and on time, instead of being hidden, to defend share price?

      Ever think of that??

      E.G.-> SONY took a 4% drop in stock when they were hacked/cracked for example.

      That said? It's NO SECRET that many companies try to "hide it" (while their boards of directors ditch shares like mad before the news hits and people lose faith in them due to security breaches).

      However, lately??

      It seems that trend has reversed itself and we're seeing what is occuring in a timely fashion.

      (That's a good thing for end users o

    • by ginbot462 (626023)

      I see why you picked your user name. ... I wish I could say your wrong, and you probably are on this particular instance, but eventually it will be the new enemy: digital terrorist (just like the predecessors: Communists, War on Drugs, etc.). Then it is a brave new world indeed.

  • by Anonymous Coward

    Just add a couple extra non-zero digits to the left side of the dollar column in my paycheck this week. I'll split it with you.

  • by Anonymous Coward

    I was complaining to the HR person at my previous company that the password policy of ADP is so terrible that it encourages extremely bad behaviour with password management (really really draconian password requirements that you basically end-up having to use a random password generator). I said that it's not great security wise & the response was that "This is a huge company that a lot of people use & I'm sure they know what they're doing better than you". At that point I gave up on continuing th

Imitation is the sincerest form of plagarism.

Working...