News & Articles

By Norman Comstock, Managing Director at UHY Consulting, Inc.

In today’s digital world, data security has become a critical issue for all organizations, regardless of their size or industry. Cyber threats such as data breaches, cyber-attacks, ransomware, and phishing are increasing daily, and organizations are under constant pressure to secure their sensitive data.

Staffing firms are not immune to cyber threats. To ensure better data security, staffing firms must develop, implement, and maintain a comprehensive data security strategy that outlines the policies, procedures, and technologies to safeguard data from unauthorized access, theft, or manipulation.

There have been several US staffing companies that have reported being targeted by cyberattacks in recent years. Some notable examples include:

1. Luttrell Staffing Group: In June 2022, Professional Personnel Services and its related entities, d/b/a Luttrell Staffing Group, included sensitive personal and confidential health information. A threat actor encrypted Luttrell’s network with malware and allowed unauthorized access to specific files within their systems. As a result, current and former Luttrell Staffing Group employee and associate information was accessed and acquired.
2. Aerotek: In March 2021, Aerotek, a leading staffing and recruiting company disclosed a data breach that resulted in unauthorized access to its network.
3. Randstad USA: In 2020, Randstad USA, a subsidiary of Randstad NV, reported a data breach that affected some job applicants and employees.
4. Robert Half: In October 2020, Robert Half, a global staffing firm, reported a ransomware attack that affected some of its operations in the United States.
5. ManpowerGroup: In 2019, ManpowerGroup, a leading provider of staffing and workforce solutions, reported a phishing attack that resulted in the unauthorized access of some employee data.
6. Kelly Services: In 2017, Kelly Services, a primary provider of workforce solutions, disclosed a data breach that exposed the personal information of some of its employees and job applicants.

Staffing companies and other organizations typically rely on multiple vendors to support their technology and business needs, including managed IT services providers, cloud hosting providers, software vendors, and security vendors. The level of security these vendors provide can also vary depending on factors such as the scope of their services, the type of technology they utilize, and the security controls they have in place.

Some US staffing companies affected by cyberattacks may have used various vendors to support their operations, but it isn’t easy to make a definitive list of all the vendors involved. Furthermore, the level of involvement of a vendor in a cyberattack can vary widely, from being an unwitting victim of the attack themselves to being directly targeted and compromised by threat actors seeking to exploit their access to a staffing company’s network.

Many vendors are targets of cybercriminals seeking to exploit their access to multiple customers’ networks, so staffing companies must vet their vendors carefully and ensure they have appropriate security controls. Additionally, staffing companies must have a robust cybersecurity program that includes strong security policies, regular security assessments, and employee training, among other measures.

Why do cyber threat actors target US staffing companies?

Cyber threat actors often target US staffing companies for several reasons:

1. Valuable data: Staffing companies collect and store a significant amount of valuable data, such as personal information, financial records, and medical information. This compromised data then contributes to identity theft, financial fraud, or selling on the black market.
2. Third-party access: Staffing agencies often work with multiple clients and vendors, making them vulnerable to attacks that target third-party networks. Cybercriminals may also target staffing companies to gain access to other companies’ systems and data.
3. Payment processing: Staffing companies often process payments for their clients, which makes them attractive targets for financial fraud and theft. Cybercriminals often use ransomware attacks to lock down systems, then demand payment in exchange for access to encrypted data.
4. Limited cybersecurity resources: Many staffing firms are small and mid-sized businesses with limited resources to invest in cybersecurity. A lack of internal resources can make them more vulnerable to attacks, as such efforts require specific expertise and tools to protect assets and information.

How staffing companies can prioritize cybersecurity efforts

To protect themselves, staffing companies should focus on cybersecurity by implementing strong access controls, regularly backing up data, and training employees to recognize and avoid common cyber threats. They should also work proactively with trusted vendors and clients to periodically review and update their cybersecurity policies and procedures. Staffing firms should also build a Third-Party Risk Management program to monitor their existing technology vendors and aid future procurement of new systems to meet the organization’s data security requirements.

For more information on how cybersecurity risks can impact staffing companies, please contact Bryan Besco, Director of Business Development, at bbesco@uhy-us.com.