Dive Brief:
- A Lansing, Michigan, franchise of ManpowerGroup experienced a data breach beginning in late December 2024, the company confirmed in an email to HR Dive, potentially exposing the personal information of nearly 145,000 customers.
- The staffing firm provided additional details in a filing with the Office of the Maine Attorney General, stating that the breach began in late December and lasted until Jan. 12. ManpowerGroup said it discovered the breach in July and that the stolen data may have included names as well as other personal identifying information.
- The company told HR Dive that the affected franchise “operates on an independent data platform, making this an isolated incident where no ManpowerGroup corporate systems were affected.” It said that all affected customers had been informed of the breach.
Dive Insight:
The incident demonstrates the potential value of HR-related data to cyber criminals. Cybercrime group RansomHub claimed responsibility for the attack and said it stole as many as 500 gigabytes of files including Social Security cards, passports, employees’ worksites and hours worked and customer lists, among other items, technology news outlet The Register reported.
In the Maine filing, ManpowerGroup said that it would offer free credit monitoring and identity theft protection services to the customers.
“We greatly value the information entrusted to us and have implemented numerous safeguards to reduce the risk of future incidents,” the company told HR Dive. “ManpowerGroup is committed to ensuring the highest security and business process standards necessary to protect our clients, partners, and employees.”
HR departments have been the subject of similar attacks in recent years, notably in 2021 after payroll and timekeeping company UKG’s Kronos Private Cloud product faced a breach that caused the platform to shut down for weeks. The ripple effects of the Kronos outage are still being played out in U.S. courts, with one federal judge recently permitting a Honda employee to proceed with his lawsuit alleging that the automaker failed to pay him overtime during the incident.
Another technological disruption affected global payroll systems in 2024, when cybersecurity firm CrowdStrike suffered an outage attributed to a faulty software update rather than a cyber attack. The incident nonetheless emphasized the importance of business continuity measures, communication protocols and contingency planning for HR departments, sources previously told HR Dive.
Employees are broadly vulnerable to advanced cyber attacks, especially in a hybrid working world, according to a 2022 study by email security firm Tessian. Such incidents have led experts to encourage HR executives to take an active role in training workers on preventive measures, as well as developing response plans. Employers may need to work with information technology departments and other business units to develop those plans, rather than deferring the task to others.