Slashdot Mirror

← Back to Stories (view on slashdot.org)

ADP Experiences Security Breach

Posted by samzenpus on from the check-out-the-stubs dept.

wiredmikey writes "HR and Payroll outsourcing giant Automatic Data Processing, Inc. (ADP) experienced a system intrusion, the company announced Wednesday. ADP said it was investigating and taking measures to address the impact of a system intrusion that occurred with a client at Workscape, a benefits administration provider that ADP acquired in August 2010. ADP has also been actively cooperating with law enforcement to determine the cause of this incident and to assist authorities in identifying and apprehending those responsible. ADP added the following in a statement: 'Because this incident is the subject of an ongoing law enforcement investigation, ADP cannot disclose any additional details at this time. ADP will provide further updates once information that can be made public becomes available, and we will continue to communicate with all affected parties as appropriate.'"

32 of 53 comments (clear)

  1. Maybe we need to whitelist? by dkleinsc · · Score: 1

    It almost seems like it would be easier to maintain a list of which major payment systems haven't been breached (that we know of). Seriously, if this was as wide open as Citibank and Sony, then we have to assume that just about everybody will be this easy to pwn.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
    1. Re:Maybe we need to whitelist? by Subratik · · Score: 3, Insightful

      I thought this would be a good idea at first, until I realized that most of the companies still on the whitelist would just become targets....and just because they haven't gotten hacked yet, doesn't mean they have good security measures.... Frankly, I think companies who have gotten hacked would be better alternatives considering the CEOs probably dont ever want to mess around with budget cuts when it comes to infrastructure security.... ""Looking at you, Sony"

    2. Re:Maybe we need to whitelist? by trum4n · · Score: 1

      I have a feeling somebody foreclosed on the wrong hacker. That's my $0.02.

    3. Re:Maybe we need to whitelist? by fulldecent · · Score: 1

      >> most of the companies still on the whitelist would just become targets

      Good. Then staying on the white list will be ever more valuable.

      --

      -- I was raised on the command line, bitch

    4. Re:Maybe we need to whitelist? by ginbot462 · · Score: 1

      Sooooo, by your analogy --> you work payroll for a company? Must be a grizzled old miner company. dagnabit.

      --
      Atlas Shrugged : Thematic Story :: Battlefield Earth : Organized Religion
  2. Not exactly ADP by erroneus · · Score: 4, Informative

    The article makes grand mention of ADP, but the the affected systems are far less significant than if it were ADP itself. I don't know what ADP's services are like now, but I recall a time when my accounting people required MSIE and ActiveX controls to access ADP's services. That alone made me worry extensively about ADP's notion of security. But reading the article, I see that it's something else entirely.

    ADP acquired Workscape in August 2010. Workscape provides solutions including talent management, benefits administration and employee communications for hundreds of organizations and millions of workers around the world.

    The compromise was at Workscape which I imagine had not integrated its network with ADPs larger network. The organization appears not to have much to do with payroll or money services at all.

    1. Re:Not exactly ADP by chroniclinux · · Score: 2

      If I remember correctly, as of a year ago ADP still uses MSIE and ActiveX. Fixing someones payroll machine is... fun?

    2. Re:Not exactly ADP by Anonymous Coward · · Score: 1

      From an end-user perspective, their systems are a complete bag of shit. Nuff said.

    3. Re:Not exactly ADP by FatAlb3rt · · Score: 2

      Our HR lady needed to have a digital cert installed on her machine to gain access. Their site is usually very slow to navigate and I personally hate the design - very capable, but lots of wasted time and clicks to do it.

    4. Re:Not exactly ADP by crow_t_robot · · Score: 1

      I recall a time when my accounting people required MSIE and ActiveX controls to access ADP's services

      My company uses it and it still does. I hate it so much. Having to open up IE to log in and use it is like casting a spell to open a portal into Satan's asshole.

    5. Re:Not exactly ADP by cavreader · · Score: 1

      MSIE is still the recommended browser although a lot of the internet applications are also tested against FF, Chrome, and Safari. And ActiveX controls have been removed from the equation as the applications have matured over the years. There might be a old application out there some where using ActiveX but I have not seen any in the applications coming from corporate IT.

    6. Re:Not exactly ADP by Ucklak · · Score: 1

      It's a closed system so MSIE and Active X doesn't matter. The troubling part is the RSA tokens that were hacked.

      The client access is a 3 tier login.

      --
      if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
    7. Re:Not exactly ADP by erroneus · · Score: 1

      Wow... yet another goatse.cx troll... it was wasn't it? The description certainly reminded me of it.

    8. Re:Not exactly ADP by EXrider · · Score: 1

      I just helped (and by help, I mean did way more than I should've had to) ADP and our HR department migrate our time & attendance from the ancient 16-bit POS that is eTime, to their Workforce Now hosted product; and our payroll from PC Payroll to whatever it's new web hosted equivalent is. I get a lot of complaints that it's slow as hell and from what I've observed, it does not work in Chrome or Firefox. The whole implementation project was poorly managed by them, and pretty much everything short of a complete disaster with people's PTO and Vacation accruals getting screwed up, garnishments getting charged twice, the wrong timeclocks and components being delivered repeatedly, etc. Yeah, I'm glad it's over.

      I should mention that their support group is pretty friendly and competent, besides the complete disconnect between their payroll and time & attendance divisions.

      --
      grep -iw skynet /etc/services
    9. Re:Not exactly ADP by Anonymous Coward · · Score: 2, Interesting

      I have fairly extensive knowledge of the ADP product set, hence my use of the coward..

      The platform you are talking about is actually ADP Freedom, a somewhat ambitious product developed in the US and now only used by the UK arm. A certificate is required for all admin accounts, same with the ActiveX components. The biggest single issue is that the Activex controls have to be installed directly from a dedicated site, there was no MSI package available, although I believe this is being considered. As such each admin station had to have an admin account logon, visit the site and install. They are not used as part of the security model in any way and are really just used to render data. The certificates are easy, you can have as many as you want and export them at will.

      The IE tie in was to my eyes a mistake, one which I know a lot of noise has been made, both internally and with clients. While with a little work you can run the client (employee portal) on any browser the admin side uses a Crystal component as well as a couple of in house ones. This makes it a non starter on anything but IE. But then you have to look at the market when the product was designed, back then it was IE everywhere and they were not alone in buying in to the platform. Also don't forget that they copped a lot of flack when they finally decided to start dropping support for IE 6.

      In the past the performance was certainly not as good as it could have been. Some serious investment was made to the back end last year with better load balancing and more nodes on the cluster. The new platform is serious, scalable and a lot more stable than once it was.

      ADP do take security seriously, while they could be better they are better than many organisations. The biggest security risk they face however is the clients themselves. End users that can't understand why they insist on sending items such as copy payslips as encrypted files and so demand that they are just sent as PDF attachments, clients that bitch about a 15 minute time-out on non activity, clients that run bonsi buddy and google tool bars... the list goes on.

    10. Re:Not exactly ADP by thesteveco · · Score: 1

      Having worked at a financial institution I can say that you might be surprised to see how loosely some connections to vendors can be, much less partners or acquisitions. As much as I like to hope that ADP raises the bar, I've seen some rather terrifying things in the past in the way systems can be interconnected.

      RSA, BofA, Citi, Lockheed, now ADP... it's getting really scary out there. I'm rapidly losing any faith in the security of my information, whether they actively or passively have my consent to store it.

    11. Re:Not exactly ADP by cavreader · · Score: 1

      ADP like any other big coporation has grown through global acquisitions of smaller companies that provide the same type of services and they inherit a wide range of applications and data that must be consolidated. It takes time to do this and some people will need to keep using the old systems until it can be integrated with the rest of the systems. New or exisiting customers do not have this problem. ADP also relies heavily on Salesforce integration which takes some decision making power away from the internal IT group. Some corporate payroll systems also have their own requirements and limitations on how their internal systems interface with a 3rd party which can create a whole other set of problems.

    12. Re:Not exactly ADP by laurelraven · · Score: 1

      ...everything short of a complete disaster with people's PTO and Vacation accruals getting screwed up...

      We switched to ADP a little over a year ago. They've still not gotten the PTO problems worked out, and if I want to know how much I have, I have to contact HR and have them manually go through and work it out by hand.

      Sad to say, I actually sometimes miss the old way of filling out an Excel sheet for my time card...it was painful and awful, but at least it worked.

      --
      RTFA is Known to the State of California to cause cancer.
    13. Re:Not exactly ADP by EXrider · · Score: 1

      Some corporate payroll systems also have their own requirements and limitations on how their internal systems interface with a 3rd party which can create a whole other set of problems.

      Yeah, I understand that, but we were using ADP's payroll system (and T&A), not our own, or some other 3rd party solution. You would think that it would be pretty straightforward since it's all involving ADP's own products. At one point our "Implementation Specialist" realized that not only had they forgot to implement the PTO accrual formulas on the new payroll system, they also forgot the current PTO accrual balances from the old system. They told our HR manager that she would have to have someone print out a massive report from the old system and manually type all of the values into a spreadsheet because the values couldn't be exported from the old system. This would've taken several days to complete, not to mention all the opportunities for human error and the values changing constantly. This is absurd given that the system is backed by a SQL database. I refused to settle for that answer and finally got ahold of someone in their support department that could help us export the accrual data from their payroll system in a usable format.

      --
      grep -iw skynet /etc/services
  3. Why investigate? by Lord_of_the_nerf · · Score: 1

    It was clearly 'Anonymous'. Or has Sony trademarked that excuse?

    1. Re:Why investigate? by Exitar · · Score: 1

      Anonymous is sooooo last month!
      It's clearly LulzSec!

  4. So much hacking news by AHuxley · · Score: 1

    Somebody must be really wanting to roll out a killswitch, protect all that wide open US electrical grid, rod go up/down via modem at the nuclear plant, telephone exchange and your brand new networked power meter.
    How many millions will be handed over to contractors and any foreign entity with a security clearance to fix a secret wireless communications channel with remote secure control to any device that speaks "internet"?
    Some 'admin' having a bad script kiddies day with Microsoft again, triggers a state/tri state net security disconnect for a few hours ... or .. was it the aggressor nation?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:So much hacking news by wintercolby · · Score: 1

      A kill switch is just about the dumbest idea ever. As soon as it's made, it will then be every bit as vulnerable as all of these systems that are getting hacked. It would become the quickest, easiest massive DoS attack to pull off, and it would give all of the hacking/cracking community a clear and obvious high value target. Given a dedicated enough team of black hats, it's not a matter of if it gets compromised, its a matter of how long.

      --
      Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
    2. Re:So much hacking news by ginbot462 · · Score: 1

      I see why you picked your user name. ... I wish I could say your wrong, and you probably are on this particular instance, but eventually it will be the new enemy: digital terrorist (just like the predecessors: Communists, War on Drugs, etc.). Then it is a brave new world indeed.

      --
      Atlas Shrugged : Thematic Story :: Battlefield Earth : Organized Religion
    3. Re:So much hacking news by tlhIngan · · Score: 1

      A kill switch is just about the dumbest idea ever. As soon as it's made, it will then be every bit as vulnerable as all of these systems that are getting hacked. It would become the quickest, easiest massive DoS attack to pull off, and it would give all of the hacking/cracking community a clear and obvious high value target. Given a dedicated enough team of black hats, it's not a matter of if it gets compromised, its a matter of how long.

      A DoS isn't a bad thing compared to getting silently intruded. And DoS tends to be from amateur shops just wanting a few lolz and such. The worst thing is a DoS attracts attention - people notice things are down and work to find out why.

      Sony, Citibank - I can bet that the attacks happened for a long while - Sony only shut down PSN after they noticed the odd transactions, and by then it was too late.

      Also a DoS isn't profitable. Sure it hurts the company, but oh well. Stealing their data means it hurts the company AND gives them something to sell on the black market.

      Think - Epsilon DoS'd - a bunch of marketing emails don't go out. But get at their list of data and you have emails and names. Very useful if you want to go phish. Ditto Sony's customer data. PSN was DoS'd and... nothing happened other than a few gamers got upset. But take 100M+ customer records? Goldmine.

      Hell, Anonymous' DoS of PSN probably got Sony investigating when they discovered the breach.

  5. Re:Verrrrry Interrrrrestink by BVis · · Score: 1

    Wow, the tinfoil hat brigade is out in force on this one.

    --
    Never underestimate the power of stupid people in large groups.
  6. Re:Verrrrry Interrrrrestink by fermat1313 · · Score: 2

    This really stinks of some 3 letter acronym organization wanting to destabilize the infrastructure. CIA, NSA, PRC, PLA, NWO?

    Why is it that so many people on /. automatically assume, without any evidence presenting itself, that anything bad is the act of some government conspiracy? Yeah, it could have been the government, but that is just one of many plausible answers. In most of the cases that aren't due to the cybervandals like Anonymous and Lulzsec, the much more likely culprit are professional criminal cracking organizations, who can make a lot of money on the data they can extract from large organizations that have huge stores of private information.

    If you can give any evidence that this or another specific event was orchestrated by the government, then let's see it. Otherwise you're just adding noise. We're supposed to be geeks who care about using scientific principles to finding the truth, aren't we? Occam's razor, my friend. Believe in it.

  7. Re:I live 1/2 mile away from headquarters by rogabean · · Score: 1

    Yeah well I am sitting in the headquarters right now at my desk... don't feel too special. I don't.

    --
    "why don't you just slip into something more comfortable...like a coma!"
  8. Hey hacker... by Anonymous Coward · · Score: 1

    Just add a couple extra non-zero digits to the left side of the dollar column in my paycheck this week. I'll split it with you.

  9. Perhaps more of it's finally being disclosed by Anonymous Coward · · Score: 1

    Properly and on time, instead of being hidden, to defend share price?

    Ever think of that??

    E.G.-> SONY took a 4% drop in stock when they were hacked/cracked for example.

    That said? It's NO SECRET that many companies try to "hide it" (while their boards of directors ditch shares like mad before the news hits and people lose faith in them due to security breaches).

    However, lately??

    It seems that trend has reversed itself and we're seeing what is occuring in a timely fashion.

    (That's a good thing for end users of these companies' services online, because they will most likely do something about it from a network security perspective once they're aware of any deficiencies there due to these hacks/cracks.)

    In fact - Since you're "speculating" (though it may be possible, ala "problem/reaction/solution" type manipulations of the public often done by those in power) and, the way you talk?

    Hey - I could say you're a member of "anonymous" or "lulzsec" or some other malware maker or hacker/cracker for pete's sake, trying to "sway public opinion" yourself, so that protective measures are NOT taken!

    Anyone can speculate, problem is? NONE OF US HAS ENOUGH INFORMATION, & solid undeniable information, to make any type of judgements here.

    We have to wait to see how it all plays out, as far as that is concerned... period!
    APK

    P.S.=> Oh, It's not just Microsoft stuff either, in regards to this little tidbit from you:

    "Some 'admin' having a bad script kiddies day with Microsoft again" - by AHuxley (892839) on Thursday June 16, @09:00AM (#36461582) Homepage

    This is happening on ALL platforms... case-in-point/example? Ok:

    E.G. #1 (very recent): What about MacDefender malware appearing on MacOS X? The OS that was allegedly implied by Apple to be "more secure than Microsoft's" for years?

    E.G. #2 (very recent): Also, and as far as "LAMP" (Linux, Apache, MySQL, PHP for those "not in the know" on that account) goes?

    I'll let this article from the Register speak on that account here, for me:

    http://www.theregister.co.uk/2011/06/10/domains_lamped/
    ---

    PERTINENT QUOTE:

    "Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"

    ---

    Now - For comparison's sake, Apples-To-Apples, in the MS Stack for business online? Here we go:

    ---

    Vulnerability Report: Microsoft SQL Server 2008:(06/16/2011)

    http://secunia.com/advisories/product/21744/

    Unpatched 0% (0 of 0 Secunia advisories)

    ---

    Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/16/2011)

    http://secunia.com/advisories/product/17543/

    Unpatched 0% (0 of 6 Secunia advisories)

    ---

    Vulnerability Report: Microsoft Exchange Server 2010: (06/16/2011)

    http://secunia.com/advisories/product/28234/

    Unpatched 0% (0 of 0 Secunia advisories)

    ---

    Vulnerability Report: Microsoft Internet Explorer 9.x: (06/16/2011)

    http://secunia.com/advisories/product/34591/ [secunia.com]

    Unpatched 0% (0 of 1 Secunia advisories)

    ---

    Vulnerability Report: Microsoft Visual Studio 2010: (06/16/2011)

    http://secunia.com/advisories/product/30853/?task=advisories

    Unpatched 0% (0 of 1 Secunia advisories)

    ---

    And?

    Well, We already KNOW that Windows 7:

  10. It's funny.... by Anonymous Coward · · Score: 1

    I was complaining to the HR person at my previous company that the password policy of ADP is so terrible that it encourages extremely bad behaviour with password management (really really draconian password requirements that you basically end-up having to use a random password generator). I said that it's not great security wise & the response was that "This is a huge company that a lot of people use & I'm sure they know what they're doing better than you". At that point I gave up on continuing that thread of the conversation. They also tend to use your SSN all over the place, cause... you know.... employment....

  11. Mr. AC offtopic troll's HOSTS file blunders list by Anonymous Coward · · Score: 1

    After all - It's not the 1st time you've tried to troll me on HOSTS files either...

    In fact, here are 2 of your "classic technical blunders" in fact, Mr. AC troll, in regards to HOSTS files usage:

    ---

    E.G. #1 - LARGE HOSTS FILES BEING CACHED BY THE LOCAL KERNEL-MODE DISKCACHING SUBSYSTEM (recently here no less, you screwed up THERE, hugely):

    http://it.slashdot.org/comments.pl?sid=2220314&cid=36379004

    E.G. #2 - HOSTS ON ANDROID PHONES (yes, they work there):

    http://apple.slashdot.org/comments.pl?sid=2204000&cid=36318508

    ---

    Proof's in the pudding, Mr. AC troll...

    APK

    P.S.=> Face it - On your best day, You couldn't touch me on technical issues if you're LIFE depended on it, and you know it...

    However, since I am of an open mind & I can only get STRONGER VIA VALID CRITIQUE?

    Well - What's "computer-science oriented technically wrong" (for lack of a better expression here) with my points on HOSTS files then?

    (Especially since I even shown that I had an MS mgt., SENIOR VP mind you, of the "Windows Client Performance Division" for years & at that time, agree that I was correct on my points on HOSTS files, ala -> http://slashdot.org/comments.pl?sid=1467692&cid=30384918 )?

    I can cite many posts where my points on HOSTS files were modded up also, ala:

    ---

    HOSTS MOD UP -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608
    HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632
    HOSTS MOD UP -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268
    HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074
    HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285
    HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983
    HOSTS MOD UP -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808
    HOSTS MOD UP -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274
    HOSTS MOD UP -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182
    HOSTS MOD UP -> http://it.slashdot.org/comments.pl?sid=1530066&cid=30965192
    HOSTS MOD UP with facebook known bad sites blocked -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128
    HOSTS FILE MOD UP FOR ANDROID MALWARE -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952
    HOSTS FILE MOD UP vs ANDROID MALWARE -> http://mobile.slashdot.org/c