The initial attack was made on a third-party “business contact” information system that ADP uses to hold client and other third party information, including names, addresses, email addresses, and other generally available company information. However, according to ADP, the information compromised from the third party system does not contain social security numbers, bank accounts, passwords, HR data or similar confidential data. ADP’s systems were not attacked or compromised.
ADP says that it has been determined that the stolen email contact information in this database is being used to notify clients and others with the “from” address spoofed to look like a valid ADP email address, fictitious emails that began approximately 24 hours ago. The emails and their attachments are malicious and are believed to have been sent with the intent to compromise the data of the email recipient, according to ADP.
ADP is in the process of notifying all clients and other parties whose email addresses were maintained in this database, instructing them not to open, but to immediately delete, the emails and attachments. Additionally, information regarding this incident will be posted to ADP’s website at www.adp.com .
“ADP maintains numerous levels of physical, electronic, and procedural safeguards to protect confidential client information,” stated Gary C. Butler, president and chief executive officer of ADP. “The security of our clients’ data is of paramount importance to ADP. We regret any inconvenience to our clients and others, and appreciate their continued commitment to ADP as we work with law enforcement to resolve this incident.”