business

The hacker who stole information about 27,000 people from payroll processor Ceridian Corp. apparently had some inadvertent help from the company.

According to one hacking victim, a Ceridian employee told him that his inactive, 10-year-old payroll data had been stolen because a Ceridian software glitch kept it in the company's database long after it should have been deleted. The stolen information included his name, Social Security number and street address.

"My information never should have been in their computer system," said Todd Ashton of Lakeville, who said it's been a decade since he left the employer who used Ceridian's payroll service.

However, it doesn't appear any laws were violated by Ceridian keeping inactive payroll files on people such as Ashton, say state officials and payroll industry experts.

Ceridian didn't respond to the allegation about a software glitch and declined to say what percentage of the hacking victims were, like Ashton, no longer with employers using Ceridian's payroll service.

"We are retaining the data that was part of the security incident in order to support the criminal investigation," Ceridian spokesman Keith Peterson said.

Ceridian said Wednesday that 27,000 people at 1,900 firms were affected by the Dec. 22-23 hacking of its payroll information database. The breach, which affected the company's Powerpay payroll system, affected less than one-tenth of a percent of the employees for whom Ceridian provides payroll services, the firm said.

The hacker obtained the names and Social Security numbers of all the victims, and in some cases also got birth dates and bank account numbers, the company said. The victims were notified in a letter sent by Ceridian dated Jan. 29.

"What floored me was why Ceridian waited so long to let us know our personal information had been stolen," said Dave Becker, a hacking victim in Woodbury. "A woman at Ceridian told me they waited because they had to reconstruct what happened."

Becker said 31 people at his employer, Oxygen Service Co. of St. Paul, got letters from Ceridian saying their personal data had been taken in the hacker attack -- even though his company stopped using the Ceridian service in 2008.

Another St. Paul man, who spoke on condition of anonymity because of concern about privacy, said he learned that Ceridian had kept his personal information for nine years after he had left the employer who used Ceridian's payroll service. After getting a letter from Ceridian about the hacking, the man said he called the company to ask why it had kept his information in its database but hadn't received a call back.

Several victims said they have filed complaints with the Minnesota attorney general's office. Ben Wogsland, spokesman for the attorney general's office, said that as a matter of policy he could not disclose whether complaints had been lodged against Ceridian or whether an investigation is underway.

Experts say the law doesn't have much to say about how long a company such as Ceridian should keep personal information.

"There is, to my knowledge, no legal requirement to delete payroll data" from a database, said Najeeb Khan, a director of the Kansas-based Independent Payroll Providers Association and president of his own payroll processing firm, Interlogic Outsourcing of Elkhart, Ind. "But if an employer switches to another payroll provider, we could eventually delete that information because it's not technically our responsibility anymore."

The Minnesota attorney general's office says there are no state rules requiring the destruction of personal data after a certain amount of time.

Besides being worried about having his personal information stolen, Ashton is also unhappy about Ceridian's response.

"The woman from Ceridian said they're working on removing my information from the database now," Ashton said. "I say that's fine, but it's after the fact."

He also wants more protection against identity theft than Ceridian is offering. He fears someone could open credit card accounts, take out loans or make purchases in his name.

"Ceridian offered me credit watch service and loss protection for one year through Equifax. But one year? Come on. I think they should protect me for the rest of my life in case my Social Security number is used against me," Ashton said.

Steve Alexander • 612-673-4553