Ceridian, a provider of benefits services for thousands of client companies, had its payroll processing division hacked, exposing names, Social Security numbers, birth dates, and bank accounts of 27,000 employees from 1,900 companies nationwide.

The attack apparently occurred December 22 and/or 23 of 2009, but affected individuals were not notified until late January. When asked why it took so long to let employees know their data was compromised, Ceridian spokesman Keith Peterson said “We took immediate preventive steps to ensure no further incident of this type would occur.”

Peterson added ”While the total number of employees affected is small, in our minds one is too many, and we are handling this incident according to our established protocol.”

27,000 may not be a large number relative to the total number of employees managed by Ceridian payroll, but to call the number “small” and wait more than a month to alert affected individuals seems to be a rather cavalier response. Kudos to Ceridian for being fortunate enough to not have exposed 270,000, or 2.7 million employees’ data, but to the 27,000 who are affected it is a matter of grave concern and utmost urgency.

Its nice that Ceridian took “immediate preventive measures”, but it should also disclose what measures were in place, how they were circumvented, and what additional security controls were implemented to mitigate the attack. Ceridian falls under  a variety of compliance mandates and it would be interesting to know whether the attack breached otherwise compliant security controls, or if Ceridian dropped the ball somewhere in implementing security and protecting data.

Whether Ceridian’s network and servers were compliant with all applicable security mandates at the time of the breach or not, Ceridian could have ensured that the employee data would not be compromised or exposed by implementing an encryption solution that protects all stored data at rest. An attacker may circumvent controls and breach the server, but a server breach does not have to be a data breach if the right protection is in place for the data.