Ceridian’s notification to the New Hampshire Attorney General’s Office is now available online (pdf). By letter from its attorney dated February 1, it summarizes the time line beginning with it first becoming aware on December 23 of a possible breach when its personnel spotted unusual activity that might indicate a problem. Further investigation indicated unauthorized access had occurred on December 22 and December 23 and the FBI was subsequently contacted.
By January 11, the company had determined “with reasonable certainty” which files might have been illegally accessed or acquired, and began compiling information on names and addresses of individuals to be notified. By January 29, the company had started sending out notifications.
Although the disclosure does not make any mention of how the hackers were able to gain access to its database (nor is such disclosure required under the law), Ceridian’s disclosure provides a useful example of disclosure and notification letters that are clearly written and generally answer the questions that most recipients might be asking. The company also set up a call center to answer questions and offered those affected free services.
Did they, as one person alleged, contribute to their own problems by having no longer active accounts on the system? Was their security up to industry standards at the time of the incident? I don’t know the answer to either question, but they do get a thumbs up from this site for their quick recognition of a problem, their prompt handling of it, and the clarity of their disclosure and notification letters.
Update: 8-9-10: Their notification to Maryland indicates that 514 Maryland residents were among those affected.