Serco Inc Discloses Data Breach After Attackers Steal Personal Information

Serco Inc, the Americas division of multinational outsourcing company Serco Group, has revealed a data breach where the personal information of over 10,000 individuals was stolen from a third-party vendor’s MoveIT managed file transfer (MFT) server.

In a breach notification filed with the Office of the Maine Attorney General, Serco stated that the information was exfiltrated from the file transfer platform of CBIZ, its benefits administration provider.

“On June 30, 2023, Serco became aware of a ransomware attack and data breach experienced by our third-party benefits administration provider, CBIZ,” the company explained.

“We understand from CBIZ that the incident began in May 2023 and steps were taken to mitigate the incident on June 5, 2023. It is important to note that the breach of CBIZ’s systems did not compromise the safety and security of Serco’s systems.”

The compromised personal information includes any combination of the following: name, U.S. Social Security Number, date of birth, home mailing address, Serco and/or personal e-mail address, and selected health benefits for the year.

Serco is currently collaborating with CBIZ to investigate the breach and determine the full extent of the incident. The focus is on ensuring that the third-party vendor has implemented adequate security measures to prevent future incidents.

According to CBIZ, a cybersecurity firm is also conducting a thorough investigation into the matter.

Serco provides services to a wide range of clients, including various U.S. federal agencies such as the Departments of Homeland Security, Justice, and State, as well as U.S. Intelligence Agencies and multiple U.S. Armed Forces branches (e.g., Navy, Army, Marine Corps, Air Force).

Serco is also a contractor for U.S. state and local governments, the Canadian government, and high-profile commercial customers such as Pfizer, Capital One, and Wells Fargo.

The company employs over 50,000 people across 35 countries and had an annual revenue of over $5.7 billion in 2022.

Is There a Connection Between the UK Electoral Commission Data Breach and the Serco Data Breach?

The recent discovery of a massive uk electoral data breach has raised questions about any potential links to the Serco data breach. Both incidents involve sensitive data breaches, but it remains unclear whether there is a direct connection between them. Given the different entities involved in each breach, further investigation is necessary to determine any potential correlation or shared vulnerabilities.

Clop Gang Behind the MoveIT Hacks

The Clop ransomware gang initiated a large-scale data-theft campaign by exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform starting from May 27th.

On June 15, the cybercrime group began extorting organizations that fell victim to the data theft attacks. The threat actors publicly exposed the names of the victims on their dark web data leak site.

The impact of these attacks is expected to affect hundreds of companies worldwide, with many already notifying their affected customers over the past two months.

Despite the large number of potential victims, Coveware estimates that only a few will likely give in to Clop’s ransom demands.

Nevertheless, Clop is projected to amass between $75-100 million in payments due to their high ransom demands.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also revealed that several U.S. federal agencies have fallen victim to these attacks, as reported by CNN.

In addition, Federal News Network reported that two U.S. Department of Energy (DOE) entities were also impacted.