business

A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide.

In a Jan. 29 letter to an affected worker obtained by the Star Tribune, Ceridian said a hacker attacked its Internet payroll system Dec. 22 and 23.

Spokesman Keith Peterson said the breach was reported to the FBI and local authorities immediately, but affected consumers weren't notified until this week that they were at financial risk.

"We took immediate preventive steps to ensure no further incident of this type would occur," Peterson said when asked about the delay. "While the total number of employees affected is small, in our minds one is too many, and we are handling this incident according to our established protocol."

The breach, which affected its Powerpay payroll system, affects less than one-tenth of 1 percent of the employees for whom Ceridian provides payroll services, he added.

Still, given the nature of the stolen information, the Ceridian breach is potentially more serious than other highly publicized security lapses in the financial industry that revealed millions of credit card numbers, said Avivah Litan, a financial services analyst with research firm Gartner in Stamford, Conn. That's because consumers are protected against losses resulting from theft of credit cards, but bank accounts have no such protection, she said.

It was the second security breach at Ceridian in three years; the 2007 theft of financial information involved a former employee. This hacker was from outside the company and still has not been found, Peterson said. Ceridian became a private company in 2007, but its last report to the Securities and Exchange Commission said its U.S. payroll business had revenue of $488 million.

The disclosure of the breach follows by about a week the unexplained departure of Ceridian Chairman and CEO Kathryn Marinello, but Peterson said her leaving was unconnected to the hacker attack.

Ceridian offered a year of free credit or identity theft monitoring through Equifax Credit Watch and outlined preventive steps those affected should take to monitor their credit and make sure new accounts aren't opened in their names.

No financial losses related to the breach have been reported so far, Peterson said.

But the letter appeared to confuse some consumers because it didn't identify the victimized company (which could be a current or former employer) or which employee bank account was involved.

Phil Martin, a retiree in Gainesville, Fla., said he had never heard of Ceridian's Powerpay service and worried at first that his Social Security check was at risk. Martin had to call Ceridian to find out his Social Security account wasn't involved.

Brian Q. Smith of Danbury, Conn., said his current employer doesn't use Ceridian, and he was unsure to which former employer the letter referred. He also wondered at first if the letter was legitimate.

"It looked like a scam to me," Smith said. "Why don't they just say it was a payroll breach, and here's how to fix it? This long-winded letter reeks of a direct mail piece."

The Ceridian letter meets the requirements of the law, which says security breaches must be disclosed to those directly affected, Litan said. But some other companies involved in data breaches have done more for consumers, such as offering loss resolution services that help recover money or insurance against losses suffered as a result of the breach, she said.

Steve Alexander • 612-673-4553