Privacy @lemmy.ml Aslanta @lemmy.world 18h ago

ADP gives you a person’s username and the name of all their employers when you type in their name and phone number.

On their website, go to the sign in screen and click “Need help signing in”. Go through the prompts and watch the person’s username, and the legal name of all their employers (who have ever used ADP) appear on the screen.

Note: Whether or not you select “my current employer uses ADP”, it will still show you the full list of both current and previous employers (who use ADP).

From there, it is remarkably easy to gain access to paycheck information if you are ~~a grocer, a landlord, a retailer, or anyone of the 2737429193 entities who may~~ have a little extra data on them.

Edit: To address some of the comments, I feel I need to clear something up. I’m not saying this is some authoritarian configuration error ADP messed up on. It’s a standard login that works conveniently for ADP and also happens to be negligent in privacy protection. And it’s most likely completely legal for most people in the U.S.

19 comments

Please speak out acronyms once. I have no idea what ADP is.
- Sorry, friend! ADP stands for Automatic Data Processing. They are a leader in the Payroll & HR solutions. Its where you go to view your paycheck or update your insurance beneficiary information.
  
  Alcoholics Doing Payroll
Man turned /privacy into /ULPT
This is generally not how one goes about disclosure.
- I hear you, but in the last year I've begun wondering if full public disclosure isn't a better way to go these days.
  
  The sheer volume of breaches is overwhelming and in my experience (of over 40 years as an ICT professional) many companies sweep their failures under the carpet, hide behind crisis management teams and marketing speak, and ridicule those bringing issues to their attention.
  
  Their disclosure is abysmal if it's made at all and there are precious few who reveal precisely what data was exfiltrated or how the issue was remediated.
  
  This way anyone can verify the issue and companies cannot hide, everyone sees precisely what's leaked and can act accordingly.
  
  If you know of a more effective way, I'd love to hear it.
  
  I hear this. Stuff this egregious they are not even trying to begin with.
  
  Making the attempt at responsible disclosure is still more effective.
- Depends on how the parties behaved in the past. There are a bunch of government entities which called police on me in the past when trying to work with them about discovered issues and as result also will just get anonymous 0-day drops in public forums for future issues.
  
  If you really regularly disclosed vulnerabilities you’d know that for entities that don’t have vulnerability disclosure programs you can always report through CISA or ENISA.
Hmm, at least it doesn't show that I'm employed by all of them simultaneously.
I've had an ADP employer in the past and when i tried it prompted me for some additional personal info so this did not work for me.

19 comments