Collabera hacked: IT staffing'n'services giant hit by ransomware, employee personal data stolen

Crooks made off with everything needed for ID theft

Exclusive Hackers infiltrated Collabera, siphoned off at least some employees' personal information, and infected the US-based IT consultancy giant's systems with ransomware.

We understand this swiped data included workers' names, addresses, contact and social security numbers, dates of birth, employment benefits, and passport and immigration visa details. Basically, everything needed for identity theft. The recruitment'n'staffing biz, which employs more than 16,000 people globally and banks hundreds of millions of dollars a year in sales, does not believe the lifted records have been used for fraud.

Collabera could not be reached for comment, though El Reg has seen a copy of the internal memo sent to staff disclosing the details of the leak. File-scrambling malware was detected on the IT consultants' network on June 8, and within a couple of days, it emerged at least some data had been stolen, according to the business.

Collabera identified malware in its network system consistent with a ransomware attack

"On June 8, 2020, Collabera identified malware in its network system consistent with a ransomware attack," Collabera wrote in the letter, dated mid-July and signed by HR senior director Mike Chirico.

"We promptly restored access to our backup files and immediately launched an investigation to determine the nature and scope of the event. On June 10, we became aware that the unauthorized party obtained some data from our system. We are working with outside experts and law enforcement to conduct a more detailed review of the incident."

Based out of New Jersey, Collabera offers companies IT services and staffing. That includes hiring out tech workers, hence the cache of personal data that was accessed by the miscreants.

"At Collabera, we reach out a hand to turn the search into a companionable, supportive journey," the company said on its website.

"A journey that certainly doesn’t inspire groaning, and one that no one ever takes alone."

So was this ransomware, or a data leak?

In this case, it appears that miscreants tried to encrypt and stole data. This has become the norm among ransomware gangs; crooks have taken to exfiltrating data as well as encrypting it. These days, victims aren't just paying the ransom to potentially restore their information, they're also paying to prevent the stolen data from being leaked or sold on by the extortionists.

In June, the Maze ransomware group – known for stealing and leaking corporate confidential data – claimed to have hacked Collabera.

Now Collabera is offering its staff two years of credit and identity monitoring services through Experian. (Yes, the same Experian that was once relieved of records on 15 million folks in the US.)

Workers who receive the letter are said to have until October 31 to register themselves for the monitoring service: "We strongly encourage you to review your bank, credit card, and other financial statements regularly. If you see any transactions you don't recognize or which appear suspicious, notify your financial institution immediately, as well as Experian." ®

Send us news

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

US readies prison cell for another Russian Trickbot developer

Hunt continues for the other elusive high-ranking members

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Polish train maker denies claims its software bricked rolling stock maintained by competitor

Says it was probably hacked, which isn't good news either

Cisco intros AI to find firewall flaws, warns this sort of thing can't be free

Predicts cyber crims will find binary brainboxes harder to battle

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

BlackCat ransomware crims threaten to directly extort victim's customers

Accounting software firm Tipalti says it’s investigating alleged break-in of its systems

Europol shutters ransomware operation with kingpin arrests

A few low-level stragglers remain on the loose, but biggest fish have been hooked