Slashdot Mirror

← Back to Stories (view on slashdot.org)

ADP Experiences Security Breach

Posted by samzenpus on from the check-out-the-stubs dept.

wiredmikey writes "HR and Payroll outsourcing giant Automatic Data Processing, Inc. (ADP) experienced a system intrusion, the company announced Wednesday. ADP said it was investigating and taking measures to address the impact of a system intrusion that occurred with a client at Workscape, a benefits administration provider that ADP acquired in August 2010. ADP has also been actively cooperating with law enforcement to determine the cause of this incident and to assist authorities in identifying and apprehending those responsible. ADP added the following in a statement: 'Because this incident is the subject of an ongoing law enforcement investigation, ADP cannot disclose any additional details at this time. ADP will provide further updates once information that can be made public becomes available, and we will continue to communicate with all affected parties as appropriate.'"

1 of 53 comments (clear)

  1. Re:Not exactly ADP by Anonymous Coward · · Score: 2, Interesting

    I have fairly extensive knowledge of the ADP product set, hence my use of the coward..

    The platform you are talking about is actually ADP Freedom, a somewhat ambitious product developed in the US and now only used by the UK arm. A certificate is required for all admin accounts, same with the ActiveX components. The biggest single issue is that the Activex controls have to be installed directly from a dedicated site, there was no MSI package available, although I believe this is being considered. As such each admin station had to have an admin account logon, visit the site and install. They are not used as part of the security model in any way and are really just used to render data. The certificates are easy, you can have as many as you want and export them at will.

    The IE tie in was to my eyes a mistake, one which I know a lot of noise has been made, both internally and with clients. While with a little work you can run the client (employee portal) on any browser the admin side uses a Crystal component as well as a couple of in house ones. This makes it a non starter on anything but IE. But then you have to look at the market when the product was designed, back then it was IE everywhere and they were not alone in buying in to the platform. Also don't forget that they copped a lot of flack when they finally decided to start dropping support for IE 6.

    In the past the performance was certainly not as good as it could have been. Some serious investment was made to the back end last year with better load balancing and more nodes on the cluster. The new platform is serious, scalable and a lot more stable than once it was.

    ADP do take security seriously, while they could be better they are better than many organisations. The biggest security risk they face however is the clients themselves. End users that can't understand why they insist on sending items such as copy payslips as encrypted files and so demand that they are just sent as PDF attachments, clients that bitch about a 15 minute time-out on non activity, clients that run bonsi buddy and google tool bars... the list goes on.