Franchise Owned by Manpower Reveals Data Breach Following Publication of Alleged Stolen Information by RansomHub
RansomHub, a notorious ransomware group known for its double-extortion tactics, has made headlines once again, this time targeting ManpowerGroup's Lansing franchise in a significant data breach.
Background and Tactics
RansomHub, in its modus operandi, first exfiltrates sensitive data from its targets and then encrypts the data on the victim's servers. The group threatens to publish or sell the stolen data unless a ransom is paid.
Initially, the group claimed to avoid attacking hospitals and certain non-profit organisations, along with geographic restrictions excluding companies from the CIS, Cuba, North Korea, and China. However, recent reports suggest they have violated these self-imposed rules.
Known Activities
One of RansomHub's notable attacks involved Christie's auction house, where they stole personal data of over 500,000 customers worldwide. The data was sold to a third party but has not been publicly disclosed.
RansomHub has also developed the EDRKillShifter tool, which has evolved into a more advanced EDR killer. This tool allows them to bypass endpoint detection and response solutions, significantly reducing the effectiveness of security measures. This tool is now used by multiple ransomware groups.
The January 2025 Attack on ManpowerGroup
As of January 2025, RansomHub listed ManpowerGroup on its data leak site and claimed to have swiped 500GB of data from the Lansing franchise. The breach occurred months after the criminals made the claim, and an investigation found that an unknown actor gained unauthorized access to the network between December 29, 2024, and January 12, 2025.
The breach affected the personal information of 144,189 individuals, but it was an isolated incident, affecting only the Lansing franchise, and did not impact ManpowerGroup's corporate systems. The company reported $17.9 billion in revenue last year.
Response and Impact
ManpowerGroup notified the FBI about the digital heist and will cooperate to hold the perpetrator(s) accountable. The company's Lansing franchise suffered an IT outage on January 20, 2025. All affected individuals have been informed and will receive free Equifax credit monitoring and identity theft protection services.
The attacks by RansomHub highlight challenges in maintaining security governance across distributed business models, particularly in franchise operations. Victims have implemented enhanced security measures to mitigate future attacks.
There is ongoing cooperation with law enforcement agencies, including the FBI, for criminal investigations into RansomHub's activities. As of recent reports, RansomHub has stopped publishing new victims, indicating a possible shift in their operational status or a response to heightened scrutiny from law enforcement.
- To bolster security against future attacks like RansomHub's, ManpowerGroup is integrating advanced AI analytics into their cybersecurity strategy to better detect and respond to threats, especially those bypassing endpoint detection and response solutions.
- With the rapidly evolving landscapes of data breaches and ransomware attacks, policymakers are increasingly focusing on enhancing technology and security regulations to protect citizens' personal information and digital assets.
