By Cameron G. Shilling (originally published 5/19/2011)
Two employment benefits service providers, Ceridian Corporation and Lookout Services, Inc., have agreed to settle Federal Trade Commission (FTC) charges that they failed to employ reasonable security measures to protect personal information maintained by them about employees of their customers.The FTC charged that Ceridian and Lookout had claimed they would take reasonable measures to secure the data they maintained but failed to do so. These flaws were exposed when security breaches at both companies put the personal information of thousands of individuals at risk.
According to the FTC’s complaint against Ceridian, the company did not adequately protect its network from reasonably foreseeable attacks, and indefinitely stored personal information in readable text on its network without a need to do so.
These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications, and compromise the personal information–including Social Security numbers and direct deposit information–of approximately 28,000 individuals.
According to the FTC’s complaint against Lookout, the company’s systems permitted access to personal information of the employees of its customers without the need to enter a username or password, simply by typing a relatively simple URL into a web browser.
In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate training.
As a result, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including Social Security numbers of about 37,000 individuals. The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. The settlements also require Ceridian and Lookout to implement comprehensive information security programs, and to obtain independent third party security audits every other year for 20 years.