The Federal Trade Commission has settled charges against Bloomington-based Ceridian for allegedly failing to protect sensitive personal information of customers' employees.
Ceridian provides companies with payroll and other human resource services. The FTC said Ceridian's security measures were inadequate to protect its network from reasonably foreseeable attacks.
In September 2009, a hacker stole the information of about 28,000 employees who worked for Ceridian's small business customers.
"The attacker was able to obtain numerous types of information, including Social Security numbers and direct deposit account information," said Tiffany George, an FTC attorney. "Bank accounts, credit union accounts or wherever anyone would have their paycheck direct deposited."
Ceridian admitted no wrongdoing. But the settlement bars the company from making misleading claims about the privacy of personal information. Ceridian must also obtain independent, third-party security audits every other year for 20 years.