Staff records – from social-security and corporate credit card numbers, to passport and bank account details – were siphoned from Cognizant by hackers who then doused the IT contractor in ransomware.
A pair of disclosures [PDF] from Cognizant to the California Attorney General's office, mandated by US state law, this week shed more light on its Maze ransomware infection. We're told employee expense card information, along with personal records, were stolen by network intruders over a three-day period from April 9 to 11; the security breach was spotted on April 20.
Here's what Cognizant's chief people officer Becky Schmitt told staff yesterday, according to the filings...
We have determined that the personal information involved in this incident included your name and one or more of: your Social Security number and/or other tax identification number, financial account information, driver’s license information, and/or passport information.
The majority of the personal information that was impacted was information relating to our corporate credit cards. Out of an abundance of caution, we are giving notice to all associates who have an active corporate credit card. All associates who have an active corporate credit card will be offered credit and identity theft monitoring services from ID Experts, as detailed below.
A spokesperson for Cognizant further clarified in an email to The Register: "It involved certain personal information related to some current and former Cognizant personnel and individuals involved in corporate transactions." Said folks are based in and outside the US, we're told.
A leak of internal info was a definite possibility when Cognizant said back in April it had become the latest victim of the Maze gang. The ransomware-slinging outfit is known for not only encrypting the data of systems it breaks into, but also exfiltrating and occasionally publishing the data to scare victims into paying up.
For what it's worth, Cognizant – which employs close to 300,000 people and rakes in billions of dollars a year – said it hasn't heard of any fraud taking place using the records, so employees may be in the clear for now. Still, the IT giant will be ponying up for a year of identity theft monitoring services for its stiffed workforce. Those concerned are being sent letters with activation codes for the monitoring service.
Colleagues would be well-advised to keep a close eye on their bank statements for signs of fraud. ®