Cyber Incident Victim: Randstad
Date:
Dec 2020
Location:
United States of America
Summary
The global staffing firm Randstad experienced a cyberattack by the Egregor ransomware group, resulting in unauthorized access to its IT environment and theft of unencrypted files. Attackers exfiltrated operational data linked to the company's U.S., Poland, Italy, and France divisions, later leaking a subset of financial, legal, and business documents. While the breach impacted a limited number of servers, business operations continued without disruption. An ongoing investigation aims to determine the extent of accessed information, including potential exposure of personal employee or client data. Egregor, a ransomware-as-a-service operation active since late 2020, leveraged affiliates previously associated with the disbanded Maze group to execute high-profile attacks across multiple sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 4, 2020, Randstad NV, the world’s largest staffing agency with operations across 38 markets and ownership of Monster.com, suffered a cyberattack attributed to the Egregor ransomware operation. The attackers breached Randstad’s global IT environment, exfiltrating unencrypted files before encrypting systems. Egregor subsequently published approximately 1% of the stolen data—a 32.7MB archive containing 184 files—on its leak site. The leaked data included accounting spreadsheets, financial reports, legal documents, and miscellaneous business records. Randstad confirmed the attack in a security notification after the data publication, clarifying that only a limited number of servers were compromised. The company maintained that its network and business operations continued without disruption despite the intrusion. Initial findings indicated the attackers accessed data specifically tied to Randstad’s operations in the United States, Poland, Italy, and France. The investigation remained ongoing to determine whether personal data of clients or employees was exposed.
Randstad initiated an investigation to identify the full scope of accessed data and assess potential personal data exposure, pledging to notify affected parties if necessary. The company did not disclose whether a ransom was demanded or paid. Egregor, a ransomware-as-a-service operation active since September 2020, employed an affiliate model where attackers retained 70% of ransom payments. The group had rapidly escalated its activities, targeting entities like TransLink and Kmart prior to the Randstad breach. Egregor’s emergence followed the shutdown of the Maze ransomware operation, with many Maze affiliates migrating to the new group. Randstad’s incident highlighted the gang’s focus on high-revenue organizations, as the staffing firm reported €23.7 billion in 2019 revenue and employed over 38,000 people. No operational disruptions or further data leaks beyond the initial 1% sample were reported by Randstad following containment efforts. The breach underscored Egregor’s pattern of extracting and leaking data to pressure victims, as seen in prior attacks against companies like Ubisoft and Barnes & Noble.