[BreachExchange] Collabera hacked: IT staffing'n'services giant hit by ransomware, employee personal data stolen

Destry Winant destry at riskbasedsecurity.com
Wed Jul 15 10:27:48 EDT 2020


https://www.theregister.com/2020/07/14/collabera_ransomware/

Exclusive Hackers infiltrated Collabera, siphoned off at least some
employees' personal information, and infected the US-based IT
consultancy giant's systems with ransomware.

We understand this swiped data included workers' names, addresses,
contact and social security numbers, dates of birth, employment
benefits, and passport and immigration visa details. Basically,
everything needed for identity theft. The recruitment'n'staffing biz,
which employs more than 16,000 people globally and banks hundreds of
millions of dollars a year in sales, does not believe the lifted
records have been used for fraud.

Collabera could not be reached for comment, though El Reg has seen a
copy of the internal memo sent to staff disclosing the details of the
leak. File-scrambling malware was detected on the IT consultants'
network on June 8, and within a couple of days, it emerged at least
some data had been stolen, according to the business.

Collabera identified malware in its network system consistent with a
ransomware attack

"On June 8, 2020, Collabera identified malware in its network system
consistent with a ransomware attack," Collabera wrote in the letter,
dated mid-July and signed by HR senior director Mike Chirico.

"We promptly restored access to our backup files and immediately
launched an investigation to determine the nature and scope of the
event. On June 10, we became aware that the unauthorized party
obtained some data from our system. We are working with outside
experts and law enforcement to conduct a more detailed review of the
incident."

Based out of New Jersey, Collabera offers companies IT services and
staffing. That includes hiring out tech workers, hence the cache of
personal data that was accessed by the miscreants.

"At Collabera, we reach out a hand to turn the search into a
companionable, supportive journey," the company said on its website.

"A journey that certainly doesn’t inspire groaning, and one that no
one ever takes alone."

So was this ransomware, or a data leak?

In this case, it appears that miscreants tried to encrypt and stole
data. This has become the norm among ransomware gangs; crooks have
taken to exfiltrating data as well as encrypting it. These days,
victims aren't just paying the ransom to potentially restore their
information, they're also paying to prevent the stolen data from being
leaked or sold on by the extortionists.

In June, the Maze ransomware group – known for stealing and leaking
corporate confidential data – claimed to have hacked Collabera.

Now Collabera is offering its staff two years of credit and identity
monitoring services through Experian. (Yes, the same Experian that was
once relieved of records on 15 million folks in the US.)

Workers who receive the letter are said to have until October 31 to
register themselves for the monitoring service: "We strongly encourage
you to review your bank, credit card, and other financial statements
regularly. If you see any transactions you don't recognize or which
appear suspicious, notify your financial institution immediately, as
well as Experian." ®


More information about the BreachExchange mailing list