Cyber Incident Victim: BambooHR

BambooHR, a Utah-based provider of cloud-based human resources software services for small and midsize businesses, experienced a security incident affecting its TraxPayroll service in February 2019. Initial unauthorized access by an unidentified third party occurred on February 5, with subsequent malicious activity spanning February 11-13. During this three-day period, the attacker engaged in actions specifically designed to redirect or divert payroll deposits to accounts under their control. The breach was detected by BambooHR on February 13, prompting immediate investigation and containment measures. The compromised data included sensitive employee information such as names, Social Security numbers, states of residence, states of employment, wage types, and tax type codes. This combination of personal identifiers and financial data created significant exposure risks for affected individuals.

The company's investigation, led by Chief Financial Officer Kent Goates, could not confirm whether the attacker retained copies of the accessed employee information. Despite this uncertainty, BambooHR implemented a notification process for all employees whose personal data appeared in the compromised reports. The notification letters outlined the breach details and offered affected individuals 12 months of complimentary credit monitoring and identity restoration services through Experian. While the organization did not publicly disclose the exact number of impacted employees, the breach directly affected payroll operations and exposed sensitive personnel data across multiple jurisdictions, given the inclusion of both residence and employment state information. The incident timeline from initial access to detection spanned eight days, with the most critical malicious activity concentrated in the final 72 hours before discovery.