ADP Duped Into Disclosing Data

In the latest in a string of high-profile data disclosures, the brokerage services group of Automatic Data Processing (ADP) last week said “an unauthorized party impersonated officers” at an undisclosed number of public companies to obtain investor information between November 2005 and February 2006.

The company, based in Roseland, N.J., did not say how many companies or investors were affected. ADP’s brokerage services division provides transaction-processing and investor communication services to financial firms.

According to The Wall Street Journal, Fidelity Investments said 125,000 of its customers were among those whose information was breached; UBS said 10,000 of its customers were affected, and Morgan Stanley said about 3,800 of its customers were involved.

In a statement sent to Baseline, ADP noted that the information included only investors’ names, addresses and the number of shares of stock held in their accounts. The data mistakenly disclosed did not include Social Security numbers, account numbers, the names of an investor’s brokerage or other personal information, according to ADP.

The company “maintains numerous levels of physical, electronic and procedural safeguards to protect confidential client information,” according to its statement. “We continually assess and invest in new technology to protect sensitive information, and upgrade our security practices and systems regularly. The security of our clients’ data is of paramount importance to us.”

ADP says it notified federal law enforcement authorities after it discovered the problem in February 2006, and then notified its broker clients. The company says law enforcement officials are investigating the case.

The ADP breach comes after other disclosures in the financial service sector. In March, for example, Fidelity Investments said a laptop with personal information on almost 200,000 Hewlett-Packard employees was stolen (see Stolen Fidelity Laptop Exposes HP Workers).

Other large-scale data breaches have included the May theft of a Department of Veterans Affairs employee’s laptop with personal information for more than 26 million veterans and the disclosure last year by information broker ChoicePoint of private data for more than 163,000 individuals (see What You Can Learn From the VA’s Snafu and Data Security: ChoicePoint’s Lessons Learned).