Statement Regarding Recent Fraudulent Self-Service Registrations
Most Recently Reported:
May 17, 2016
Date Initially Reported:
May 06, 2016
ROSELAND, N.J., May 3, 2016 – ADP has learned that a small number of its clients’ employees have been victimized by fraudulent registrations through a self-service registration portal. Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously (unrelated to ADP) based on ADP’s investigation to date.
Registration to the portal requires an access code that is unique to each client company. The company registration code is combined with an individual employee’s personal information (e.g., partial SSN, DOB, employee number, etc.) to create a unique access code required for portal registration. In this case, these clients made the unique company registration code available to its employees via an unsecured public website. The combination of an unsecured company registration code and stolen personal information (via phishing, malware, etc.) enabled the fraudulent access to the portal, based on ADP’s investigation to date.
Clients should NEVER publicly distribute or post to a public website company registration codes in an unsecure manner. We have temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion. ADP offers and advises its clients to use alternative industry-standard controls, including personal identification codes, which offer far greater protection during the self-service registration process. For further guidance, please review the ADP Security Management Service Best Practices on the following page.
ADP has no evidence that its systems housing employee information have been compromised. Additionally, the company is working with a federal law enforcement task force to identify the fraud perpetrators.
Security of employee information is paramount to ADP. The company believes that no other organization in this industry invests more to protect client information. In addition, ADP provides education, awareness training, and information to clients and consumers on best practices to prevent common cybersecurity issues, such as phishing and malware. ADP’s financial crimes monitoring team and client support groups provide proactive notice to clients when fraud or attempted fraudulent access is detected, as occurred in these cases.
Protecting clients and their data has been, and always will be, a top priority for ADP.
ADP® Security Management Service Best Practices
Safeguarding Your Organization’s Registration Process
Security Is a Shared Responsibility
ADP is committed to protecting the privacy of your organization’s employees and their personally identifiable information. To assist us in meeting that commitment, your employees must register with us before using our services.
Your security masters and security administrators set up your organization’s registration process for your unregistered employees. Your organization can select to use personal registration codes (more secure) or the organizational registration code during registration.
Contact your ADP representative to determine the identity verification option(s) available to your organization.
Personal Registration Codes (Recommended)
Personal registration codes offer the most secure method to control access to your organization’s ADP services. Personal registration codes offer several security advantages. They are:
- Randomly generated alphanumeric codes (for example, 9A7B632F)
- Uniquely associated to the individuals to whom they are issued
- Securely distributed to the email addresses provided by your administrator
- Set to expire in 15 days or when used
Organizational Registration Code
An organizational registration code consists of your client ID and a code you enter separated by a hyphen. For example, if your client ID is SampleClientID and the code you choose is 1234, users would enter SampleClientID-1234 during registration.
For your protection, your organization MUST take the following precautions:
- Publish the organizational registration code on your intranet portal—not the internet—or distribute it to your new hires in a welcome packet or custom email.
- Update your identity verification options so your registering users provide additional identity information.
- Change the organizational registration code regularly.
ADP takes our clients’ security very seriously. We appreciate your support and cooperation to protect your organization, your users, and your data.
For more information about how ADP protects our clients, please visit the ADP Trust Center at
www.adp.com/trust which provides the latest security alerts, phishing information, security
resources and best practices. Protecting ADP clients and their data from malicious activity has been, and always will be, a top priority for ADP.
Download a PDF of this Alert
See All Security Alerts