Cyber Incident Victim: Allied Universal
Date:
Nov 2019
Location:
United States of America
Summary
Allied Universal suffered a ransomware attack by the Maze group, involving data exfiltration and network encryption. The attackers leaked approximately 700 MB of stolen files—representing 10% of the compromised data—after the company missed a ransom deadline, threatening to release the remaining 90% to WikiLeaks unless an increased $3.8 million payment was made. Exfiltrated data included sensitive employee termination agreements, medical records, contracts, server directories, encryption certificates, and Active Directory user lists. The ransomware operators emphasized their strategy of stealing unencrypted files prior to encryption as leverage to compel payments. The targeted firm acknowledged an ongoing investigation but declined further comment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 21, 2019, the Maze ransomware group publicly disclosed a breach of Allied Universal, a security staffing firm with approximately 200,000 employees and $7 billion in annual revenue. The attackers claimed to have encrypted "a lot" of computers within Allied Universal's network and exfiltrated sensitive data prior to deploying ransomware, a tactic explicitly described as leverage to pressure payment. Maze initially demanded 300 bitcoins (approximately $2.3 million USD) for decryption keys and suppression of the stolen data. After Allied Universal missed the unspecified payment deadline, Maze published roughly 700 MB of stolen files—representing 10% of the total exfiltrated data—on public platforms. The leaked data included termination agreements, business contracts, employee medical records, server directory listings, encryption certificates, and exported Active Directory user lists. Maze escalated demands to $3.8 million, threatening to release the remaining 90% of stolen files to WikiLeaks if unpaid. Allied Universal confirmed the incident was under investigation but declined further comment, stating no additional details would be provided at the time.
The incident highlighted Maze’s operational shift toward combining file encryption with systematic data theft and public leakage, significantly increasing potential harm to victims beyond operational disruption. By publishing Allied Universal’s confidential employee medical records and business documents, Maze demonstrated willingness to inflict reputational and legal damage to coerce payments. The attackers explicitly framed data exfiltration as a standard pre-encryption step in their attacks, indicating a calculated escalation in ransomware tactics. Allied Universal’s status as a large-scale security services provider underscored the breach’s severity, given its reliance on safeguarding client assets and sensitive personnel data. The lack of public details regarding Allied Universal’s containment measures or data recovery efforts left the full operational and financial impact unconfirmed. However, the exposure of employee medical records and internal contracts created immediate risks of identity theft, regulatory penalties, and litigation. Maze’s threat to disseminate additional data via WikiLeaks introduced further uncertainty regarding long-term data exposure consequences for the organization and affected individuals.