Payroll Firm Scammed Out of Personal Data

Fidelity Investments confirms to ABC News that 125,000 customer accounts were compromised in a data theft breach.

The latest corporate data breach is from a company you may never have heard of, even though one in six American workers gets paid by the firm.

Automatic Data Processing, one of the world's largest payroll service companies, confirmed to ABC News that it had been swindled by a data thief looking for information on American investors.

According to a company spokeswoman, ADP provided a scammer with personal information for an undisclosed number of investors who had purchased stock through brokerages that use ADP's investor communications services. Initial reporting indicates that these firms include a number of brand-name brokers, including Fidelity.

The company spokesperson said the data thief exploited a Securities and Exchange Commission rule that allows public companies to get names and addresses of shareholders from brokers, as long as the shareholder has not objected to the disclosure of such information.

The thief apparently impersonated a corporate officer from a public company and got ADP to send the information. The company declined to answer questions about its data security measures or why its existing measures did not prevent the data loss.

The loss occurred between November 2005 and February 2006 and resulted in the "inadvertent disclosure" of investors' names, mailing addresses and the number of shares they held in certain companies. No Social Security numbers or account information were disclosed.

"ADP notified federal law enforcement authorities promptly after its discovery of the problem in February 2006," said Dorothy Friedman, an ADP spokeswoman, in a prepared statement. "Shortly thereafter, ADP notified its broker clients. Law enforcement authorities are continuing to investigate the matter."

Some customers whose personal data were compromised have received letters from ADP. The three-page letter contains a list of 60 "affected companies," including HealthSouth and Sirius Satellite Radio among many smaller corporate names.

"We have been advised that the information disclosed was not sufficient by itself to permit unauthorized access to your account, and we have no evidence that the information on the lists has been improperly used," reads the customer notification. "However, we recommend that you be alert to any unusual or unexpected contact or correspondence that you may have with the listed public companies (or with anyone else) about your holdings in these companies."

The letter then goes on to encourage affected customers to consider contacting one of the national credit bureaus to discuss getting a fraud alert service. ADP says federal authorities are investigating the matter.