440GB of data from US-based temporary staffing agency leaked on hacker forum

A 440GB archive that purportedly belongs to Automation Personnel Services, a US-based temporary employment agency, has been leaked on a popular hacker forum. Automation Personnel Services says the post-breach investigation “is currently ongoing and the scope and nature of the data impacted is not yet confirmed.”

According to the forum post, the archive includes confidential company data and sensitive documents related to Automation Personnel Services users, partners, and employees, such as accounting and payroll data, as well as various legal documents.

The archive was leaked on November 24. It appears to have been made public as a consequence of a failed negotiation with cybercriminals, after Automation Personnel Services apparently refused to pay the ransom.

“The data is preloaded and will be automatically published if you do not pay.”

Ransomware message seen in the forum post

We asked Automation Personnel Services if they could confirm that the leak was genuine, and whether they have alerted their partners and customers. According to Randy Watts, executive vice president at Automation Personnel Services, the company is “working with a third-party forensic investigation firm to determine the nature and scope of this event.”

“Protecting the information in our possession and the security of our systems is a top priority. We have and will continue to implement further enhancements in our security and response measures, including the notification to any impacted parties as necessary.”

Randy Watts, EVP at Automation Personnel Services

What data has been leaked?

The leaked data appears to come from Automation Personnel Services, which lists itself as "one of the leading temporary staffing agencies" in America, with more than 30 locations across the US. Established in 1990, the company offers its services to employers and job seekers from the manufacturing, technical, automotive, and other industries. 

Based on the samples we saw from the leaked archive, it appears to contain confidential company data from the past four years (2017-2020) and includes:

• Corporate accounting and payroll data
• Legal documents, including bank audit data and financial agreements
• HR information about Automation Personnel Services employees
• Customer and partner records, including names, addresses, and phone numbers

Example of leaked accounting data:

Example of leaked APS employee data:

Who had access to the data?

Since the data was made freely available in the final week of November, it’s safe to assume that multiple users of the hacker forum where it was posted had access to the data.

On the other hand, it’s unclear how many users actually downloaded the entire 440GB archive, and of that, how many are using that data for illicit purposes.

What's the impact of the leak?

Most of the data in the archive seems to be corporate rather than personal in nature. From what samples of the leaked archive we were able to access, however, it appears that at least 30 files in the archive contain personal information of Automation Personnel Services employees, including the last 4 digits of their social security numbers.

With personal employee data and company audit information in hand, cybercriminals could:

• Impersonate employees to gain unauthorized access to the company's resources and confidential information
• Carry out spear-phishing attacks against employees and their family members
• Steal the exposed employees’ identities and take out loans, apply for credit cards, or even collect tax refunds in their name

Furthermore, attackers could sell confidential company data to competitors for business intelligence and corporate espionage purposes. For example, one of the files in the archive listed Automation Personnel Services partners, and that information might be used by the competition to lure the clients away from the hacked company.

Next steps

If you work at Automation Personnel services or have an account on apstemps.com, there’s a good chance your data has been leaked. For that reason, we recommend you:

• Set up identity theft monitoring via your financial institution of choice
• Review recent activities on your online accounts and watch out for suspicious emails, messages, and requests

For companies that wish to avoid becoming victims of a ransomware attack, here are a few basic precautions that your organization should have in mind:

• Encrypt your confidential data with a salted secure encryption algorithm. That way, even if an attacker would manage to steal your data, they’d have no use for it because it would be inaccessible without an encryption key
• Use an intelligent threat detection system or a security incident event management system, which can inform you of a data breach before the data is downloaded by the attackers