Using a process called “Flowjacking”, hackers were able to determine the work and data flow of ADP’s internal processes. They found out, for example, that setting up a user account with the company was a two-step process. The first step involves setting up the account, which requires social security numbers and other personal data that hackers are very good at getting their hands on.
The second step is activating the account, and ADP sends activation codes to the companies that set up accounts with them. Unfortunately, some companies are not careful with their activation codes, and wind up placing them in the public domain, where they can be scooped up by ever-watchful hackers.
Armed with a stolen social security number and a code grabbed from some public domain source, hackers can inject themselves into ADP’s normal process, and make off with thousands, and perhaps even millions of people’s personal information.
Things like bank account numbers and social security numbers are stock and trade for legions of hackers. This is data with good, reliable resale value, and they can always find a ready market for it.
ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked. Rather, the workflow itself was breached, and the hackers took advantage of the fact that some companies weren’t as careful as they should have been with their activation codes.
If you use ADP, your best move from here is to contact them directly to find out if any of your employee records were impacted. It is also probably a good idea to have your networked scanned and evaluated for security risks. If you need any help with this, please feel free to reach out to our office.