Cyber Incident Victim: TeleTech Holdings, Inc.
Date:
Sep 2021
Location:
United States of America
Summary
TTEC, a major customer support provider for prominent brands, experienced a ransomware attack disrupting its network and applications, leading to widespread operational outages. The incident encrypted some company data and temporarily halted business activities, preventing numerous remote employees from accessing customer service tools and causing significant workforce downtime for clients including Verizon, Kaiser Permanente, and Bank of America. Internal communications warned employees against interacting with a suspicious file linked to the Ragnar Locker ransomware group, though attribution remained unconfirmed. The company isolated affected systems, activated incident response protocols, and initiated restoration efforts while investigating potential impacts, initially stating no evidence of client data compromise. Service disruptions resulted in prolonged customer support delays across multiple client operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 12, 2021, TTEC Holdings Inc. [NASDAQ: TTEC], a global customer support provider serving major brands including Bank of America, Verizon, and Kaiser Permanente, experienced a widespread system outage caused by a ransomware attack. The disruption prevented employees from accessing the company's network, applications, and customer support tools, impacting thousands of remote workers handling client services. Internal communications on September 14 revealed employees were instructed not to interact with a suspicious file named "!RA!G!N!A!R!" appearing in their Windows start menus, suggesting involvement of the Ragnar Locker ransomware group or actors impersonating them. Ragnar Locker was known for demanding multimillion-dollar cryptocurrency ransoms and threatening to leak victim data if law enforcement was contacted. Service desk logs showed significant operational paralysis: hundreds of Bank of America prepaid service staff, over 1,000 Verizon support personnel, and Kaiser Permanente teams remained unable to work due to connectivity failures. Employees reported prolonged downtime with minimal communication from leadership beyond directives to take additional days off.
TTEC confirmed the ransomware attack on September 14, disclosing that certain systems had been encrypted and business operations at multiple facilities were temporarily disrupted. The company activated its incident response and business continuity protocols immediately upon detection, isolating affected systems to contain the attack. Restoration efforts commenced methodically, though the full scope of compromised infrastructure remained undisclosed. An ongoing investigation found no evidence of client data compromise, noting TTEC typically does not store client information. Despite these measures, service interruptions persisted across client operations, with internal Zoom conferences revealing continued coordination challenges among support teams. The incident caused extended customer service delays for TTEC's client base during the outage period. No ransom payment details or data leakage claims were publicly verified at the time of reporting.