htt
p://abcnews.go.com/Technology/story?id=2160425
By DAN ARNALL
ABC News
July 6, 2006
The latest corporate data breach is from a company you may
never have
heard of, even though one in six American workers gets paid
by the
firm.
Automatic Data Processing, one of the world's largest
payroll service
companies, confirmed to ABC News that it was swindled by a
data thief
looking for information on hundreds of thousands of American
investors.
According to a company spokeswoman, ADP provided a scammer
with
personal information of investors who had purchased stock
through
brokerages that use ADP's investor communications services.
Initial
reporting indicates that these firms include a number of
brand-name
brokers, including Fidelity Investments and Morgan Stanley.
A Fidelity spokesman says the data breach compromised
125,000 of the
72 million active accounts at the brokerage.
Morgan Stanley says 3,800 of its clients were affected.
An industry source says Bear Stearns, Citigroup and Merrill
Lynch also
had account data leaked in the incident. A Merrill Lynch
spokesperson
refused comment. Calls to Citigroup and Bear Stearns have
not been
returned.
A spokesperson for banking and financial services group UBS
confirms
that about 10,000 of its brokerage clients were among those
whose data
was disclosed.
In a prepared statement, ADP spokeswoman Dorothy Friedman
said the
data thief exploited a Securities and Exchange Commission
rule that
allows public companies to get names and addresses of
shareholders
from brokers, as long as the shareholder has not objected to
the
disclosure of such information.
The thief impersonated a corporate officer from a public
company and
got ADP to send the information.
ADP refused to answer questions about its data security
measures or
why its existing policies did not prevent the data loss.
ADP said that the loss, which occurred between November 2005
and
February 2006, resulted in the "inadvertent
disclosure" of investors'
names, mailing addresses and the number of shares they held
in certain
companies. No Social Security numbers or brokerage account
numbers
were disclosed.
"ADP notified federal law enforcement authorities
promptly after its
discovery of the problem in February 2006," said
Friedman. "Shortly
thereafter, ADP notified its broker clients. Law enforcement
authorities are continuing to investigate the matter."
Some customers whose personal data was compromised have
received a
letter from ADP. The three-page letter contains a list of 60
"affected
companies," including HealthSouth and Sirius Satellite
Radio among
many smaller corporate names.
"We have been advised that the information disclosed
was not
sufficient by itself to permit unauthorized access to your
account,
and we have no evidence that the information on the lists
has been
improperly used," reads the customer notification.
"However, we
recommend that you be alert to any unusual or unexpected
contact or
correspondence that you may have with the listed public
companies (or
with anyone else) about your holdings in these
companies."
The letter then goes on to encourage affected customers to
consider
contacting one of the national credit bureaus to discuss
getting a
fraud alert service. ADP says federal authorities are
investigating
the matter.
Copyright © 2006 ABC News Internet Ventures
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|