Ceridian chagrined by leak of client data

For some, nothing is more sacred than their identities and their bank accounts.

So imagine the outrage at New York advertising company Innovation Interactive last week when it learned that its payroll processing firm, Ceridian Corp., had inadvertently leaked ID and bank-account data on its 150 employees to an Internet website.

Ceridian, based in Bloomington, is now trying to explain how the Innovation Interactive names, addresses, Social Security numbers, salary information and checking account data got onto the website of a former Ceridian employee, who it says took the data by accident when he left the company in March 2006.

The security breach could have big ramifications for Ceridian, which provides outsourced payroll and other services to 25 million employees of 110,000 companies in 38 countries, including more than three-quarters of the Fortune 500 corporations.

What's more, the problem may be bigger than a single breach. Ceridian said it has been suggested by Innovation that data from 10 to 15 other companies also may have been leaked, but so far no other companies have notified Ceridian of a data breach.

"If we determine that others have been affected, we'll address that right away and take whatever steps are necessary," Ceridian spokesman Pete Stoddart said.

In an apologetic letter to Innovation Interactive employees, Ceridian said a former employee whom it would not name accidentally took Innovation's payroll files with him when he left, then posted them on a personal website. In a follow-up conference call with employees of Innovation Interactive, Ceridian said the employee apparently accidentally posted the information because it was mixed in with family photos.

Ceridian said in the letter to Innovation employees that it believes no one had accessed the Web-page data for several weeks before it was found, but it is still seeking records back to March 2006 to see whether anyone viewed the data during that time.

"This appears to have been an accidental and isolated incident without malicious intent," said Victor Karl, Ceridian director of information security and privacy, in the letter. "Ceridian believes the likelihood of improper access of your personal information appears to be quite low."

That explanation isn't wearing too well at Innovation Interactive, which is considering whether to find another payroll processing firm and whether to sue Ceridian, a spokeswoman said.

"We are distressed by what happened and are investigating the matter further," said the spokeswoman, who like other Innovation workers, requested anonymity for fear they might become targets of a persistent Web-search expert.

Besides the leak of confidential data, Innovation has another reason to be miffed: Ceridian didn't even discover its own mistake. That discovery was made by Anthony Risicato, a former vice president at Innovation Interactive, who googled himself earlier this month and unexpectedly pulled up a treasure trove of company information.

Risicato told Will Margiloff, CEO of Innovation Interactive, what he'd found, causing executives of the Web advertising firm to go into emergency mode. When they were unable to reach Ceridian officials on Sunday, April 15, Innovation Interactive called the company hosting the Web page and begged that it be taken down. Then it called the big Internet search engines, such as Google, MSN and Yahoo, and asked them to purge the backup copies of the Web page from their recent scans of the Internet.

Insiders at Innovation Interactive say the strategy apparently worked because their personal data can no longer be found in an Internet search.

Ceridian is offering employees of Innovation Interactive a two-year subscription to the Equifax Personal Solutions data monitoring service "to help you protect your identity and your credit information," Karl wrote in his letter. "We are alerting you to this incident so you can take precautions to protect your information against misuse in the future."

Steve Alexander • 612-673-4553 • alex@startribune.com