ADP Experiences Security Breach

wiredmikey writes "HR and Payroll outsourcing giant Automatic Data Processing, Inc. (ADP) experienced a system intrusion, the company announced Wednesday. ADP said it was investigating and taking measures to address the impact of a system intrusion that occurred with a client at Workscape, a benefits administration provider that ADP acquired in August 2010. ADP has also been actively cooperating with law enforcement to determine the cause of this incident and to assist authorities in identifying and apprehending those responsible. ADP added the following in a statement: 'Because this incident is the subject of an ongoing law enforcement investigation, ADP cannot disclose any additional details at this time. ADP will provide further updates once information that can be made public becomes available, and we will continue to communicate with all affected parties as appropriate.'"

Not exactly ADP

[erroneus]

The article makes grand mention of ADP, but the the affected systems are far less significant than if it were ADP itself. I don't know what ADP's services are like now, but I recall a time when my accounting people required MSIE and ActiveX controls to access ADP's services. That alone made me worry extensively about ADP's notion of security. But reading the article, I see that it's something else entirely.

ADP acquired Workscape in August 2010. Workscape provides solutions including talent management, benefits administration and employee communications for hundreds of organizations and millions of workers around the world.

The compromise was at Workscape which I imagine had not integrated its network with ADPs larger network. The organization appears not to have much to do with payroll or money services at all.

Re:Not exactly ADP

[chroniclinux]

If I remember correctly, as of a year ago ADP still uses MSIE and ActiveX. Fixing someones payroll machine is... fun?

Re:Not exactly ADP

[FatAlb3rt]

Our HR lady needed to have a digital cert installed on her machine to gain access. Their site is usually very slow to navigate and I personally hate the design - very capable, but lots of wasted time and clicks to do it.

Re:Not exactly ADP

I have fairly extensive knowledge of the ADP product set, hence my use of the coward..

The platform you are talking about is actually ADP Freedom, a somewhat ambitious product developed in the US and now only used by the UK arm. A certificate is required for all admin accounts, same with the ActiveX components. The biggest single issue is that the Activex controls have to be installed directly from a dedicated site, there was no MSI package available, although I believe this is being considered. As such each admin station had to have an admin account logon, visit the site and install. They are not used as part of the security model in any way and are really just used to render data. The certificates are easy, you can have as many as you want and export them at will.

The IE tie in was to my eyes a mistake, one which I know a lot of noise has been made, both internally and with clients. While with a little work you can run the client (employee portal) on any browser the admin side uses a Crystal component as well as a couple of in house ones. This makes it a non starter on anything but IE. But then you have to look at the market when the product was designed, back then it was IE everywhere and they were not alone in buying in to the platform. Also don't forget that they copped a lot of flack when they finally decided to start dropping support for IE 6.

In the past the performance was certainly not as good as it could have been. Some serious investment was made to the back end last year with better load balancing and more nodes on the cluster. The new platform is serious, scalable and a lot more stable than once it was.

ADP do take security seriously, while they could be better they are better than many organisations. The biggest security risk they face however is the clients themselves. End users that can't understand why they insist on sending items such as copy payslips as encrypted files and so demand that they are just sent as PDF attachments, clients that bitch about a 15 minute time-out on non activity, clients that run bonsi buddy and google tool bars... the list goes on.

Re:Maybe we need to whitelist?

[Subratik]

I thought this would be a good idea at first, until I realized that most of the companies still on the whitelist would just become targets....and just because they haven't gotten hacked yet, doesn't mean they have good security measures.... Frankly, I think companies who have gotten hacked would be better alternatives considering the CEOs probably dont ever want to mess around with budget cuts when it comes to infrastructure security.... ""Looking at you, Sony"

Re:Verrrrry Interrrrrestink

[fermat1313]

This really stinks of some 3 letter acronym organization wanting to destabilize the infrastructure. CIA, NSA, PRC, PLA, NWO?

Why is it that so many people on /. automatically assume, without any evidence presenting itself, that anything bad is the act of some government conspiracy? Yeah, it could have been the government, but that is just one of many plausible answers. In most of the cases that aren't due to the cybervandals like Anonymous and Lulzsec, the much more likely culprit are professional criminal cracking organizations, who can make a lot of money on the data they can extract from large organizations that have huge stores of private information.

If you can give any evidence that this or another specific event was orchestrated by the government, then let's see it. Otherwise you're just adding noise. We're supposed to be geeks who care about using scientific principles to finding the truth, aren't we? Occam's razor, my friend. Believe in it.