Skip to content

Bit9

← Back to Blog
23 Jun 2011

ADP: Another Day, Another Breach

Dan Brown

Last week, ADP disclosed a malicious intrusion at a recently acquired Massachusetts-based subsidiary, Workscape Solutions. The damage is described as being limited to one customer. Beyond these facts, little has been disclosed or discovered about it. Assuming the affected customer isn’t a large institution, this accident is just one among many larger recent attacks, and we’ll probably soon forget about it.

Before we do, however, let’s dig a little deeper and see if there are any issues here worth considering further.

Perhaps this subsidiary wasn’t security conscious when they were first acquired? We could cut ADP some slack then, right? According to Workscape’s website:

You can rely on Workscape to keep your employee data safe and secure. Our performance management, compensation planning, manager self service, and outsourced benefits administration solutions — all of which share the common Workscape Total Rewards Platform™ — are delivered from hosting centers that have attained SAS70 certification (SAS70 Level II for our benefits solutions) and are fully compliant with ISO 27002 security standards. What exactly does this mean? It means we take data security as seriously as you do.

So much for alphabet soup certifications.

So many domestic companies outsource their payrolls to ADP that their National Employment Report is heavily relied upon by the government for compiling labor statistics. The potential impact of a significant breach of ADP payroll services is the sort of thing that keeps security professionals awake at night; particularly if their paystubs say “ADP” on them. Is the cost savings of outsourcing HR functions such as payroll worth the risk? Maybe this worry is for nothing? Perhaps ADP has a stronger culture of security than their subsidiary?

I once asked an ADP representative if it was possible to opt out of certain web services, such as the ability to view and change routing and ABA numbers online. From the reaction I received you would have thought I had asked if Santa’s workshop outsourced their payroll to ADP.

So much for the culture of security.

Acquisitions often pose security challenges. If the organizations merge their IT infrastructure, changing such infrastructure often results in temporary or permanent security holes via misconfigured routers, firewalls, temporary passwords, etc. Division of responsibility can be unclear between the organizations, leaving loose ends. Unsecured communication between the organizations’ IT departments is valuable if intercepted by an adversary. Could it be more than a coincidence that the Workscape breach was reported after the ADP acquisition?

Finally, the tradeoff between security and convenience, or more accurately between security and efficiency, needs to be examined. Since ADP services a large number of domestic payrolls they’re naturally going to be a target. With high profile attacks making headlines almost daily, IT security needs to take front and center stage during any merger or acquisition.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US