OpenSSL "HeartBleed" Vulnerability | Data Security | Client Assurance Letters

Who We Are

Back Back To Client Assurance Letters

Client Assurance Letters

ADP Security Advisory - OpenSSL "HeartBleed" Vulnerability

Most Recently Reported: April 30, 2014
Date Initially Reported: April 10, 2014

Issue Overview
The U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, released information about a serious vulnerability in the OpenSSL libraries. OpenSSL is frequently used as part of SSL and TLS encryption for websites (e.g., https), but can also be used for other encryption systems as well.

After a comprehensive analysis of ADP’s Internet sites worldwide, and consequent follow up, we have completed all remediation activities related to the Heartbleed OpenSSL vulnerability. We will also continue to assess and respond as necessary as our cyber threat management platforms are continuously updated to detect and respond to malicious activity.

Protecting our clients and their data has been, and always will be, a top priority for ADP.

Frequently Asked Questions

Q: What actions did ADP take to determine its exposure to the Heartbleed OpenSSL vulnerability?
A:
Using information from ADP’s routine and ongoing network scans, ADP immediately initiated an assessment of all external SSL sites and services across all of ADP’s global networks. Included within these sites were mail servers, web services, and application sites.

Q: How did ADP test to determine whether or not its sites and services were susceptible to the Heartbleed OpenSSL vulnerability?
A:
ADP utilized a commercial and industry recognized network scanner, as well as performing its own independent internal assessment, to attempt exploit of this specific vulnerability. The script utilized was based upon a publicly available exploit kit.

Q: Did ADP find any sites susceptible to the Heartbleed OpenSSL Vulnerability?
A:
ADP discovered a very small number of services that were susceptible to the Heartbleed OpenSSL vulnerability.

Q: What actions has ADP taken to address any sites or services affected by the Heartbleed OpenSSL vulnerability?
A:
ADP has validated that all Payroll and Human Capital Management Services we provide to our customers globally are either not susceptible to the OpenSSL “Heartbleed” vulnerability or have been successfully remediated. Those customers potentially affected by this vulnerability are being offered the opportunity to execute a password change at their next login or are being contacted directly by their ADP support team.

PDF Download a PDF of this Alert


See All Security Alerts

OpenSSL "HeartBleed" Vulnerability