US-based Automatic Data Processing (ADP) says hackers have stolen data about its clients from a third-party database and have used the information to launch online phishing scams.
In a statement ADP says an initial attack was made on a third-party "business contact" information system that it uses to hold client and other third party information, including names, addresses, e-mail addresses, and other "generally available" company information.
The vendor stresses that the data compromised does not contain social security numbers, bank accounts, passwords, HR data or similar confidential data. ADP says its own systems were not attacked or compromised.
However the stolen e-mail contact information in the database is being used to send bogus phishing e-mails. ADP says it is contacting all clients, instructing them not to open the phishing e-mails and attachments.
Gary Butler, president and CEO of ADP, says the firm is working with law enforcement to "resolve this incident".
On Friday US online broker TD Ameritrade said an internal investigation into stock-related spam uncovered 'unauthorised code' in its computer systems that allowed illegal access to an internal database.
Names, e-mail addresses, and phone numbers belonging to retail and institutional clients were retrieved from the database. TD Ameritrade said the incident had "increased unwanted spam".
Security firm Sophos points out that the disclosure of e-mail addresses alone can be used to exploit internet users out of their hard earned cash.
"We've already spotted 'spear-phishing' campaigns where criminals send e-mails posing as TD Ameritrade in order to extract additional personal information," says Graham Cluley, senior technology consultant, Sophos. "TD Ameritrade customers the world over should be extra vigilant when responding to e-mails which appear to come from the company and should immediately check to ensure that their accounts haven't been fiddled with...While TD Ameritrade has gone to great lengths to reassure customers that this breach hasn't led to any ID theft, no one should underestimate just how wily hackers can be in order to extort confidential information from unsuspecting victims."
In July last year ADP admitted that it was tricked into disclosing personal data on thousands of brokerage customers to fraudsters posing as corporate officers. ADP reportedly gave shareholder data - consisting of names, addresses and number of shares owned by individual investors - to "an unauthorised party" who fraudulently requested the information.