Cyber Incident Victim: SD Worx
Date:
Apr 2023
Location:
United Kingdom
Summary
SD Worx, a major European HR and payroll services provider, suffered a cyberattack targeting its UK and Ireland division. The company preemptively isolated and shut down all related IT systems to contain the incident, causing a complete service outage. While the attack was confirmed not to be ransomware, the disruption prevented customer access to critical platforms. The company stated there was no initial evidence of data compromise but managed a vast amount of sensitive employee information for its clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 9, 2023, the European HR and payroll management company SD Worx suffered a cyberattack targeting its UK and Ireland division. The company, based in Belgium, provides services to 5.2 million employees for over 82,000 companies. The malicious activities were discovered by the SD Worx security team on the night of April 9th within the company's hosted data centre. In immediate response to this discovery, the company took preventative action to mitigate any further impact by isolating all systems and servers. This containment measure resulted in a complete shutdown of the IT infrastructure supporting SD Worx's payroll and HR services specifically for its UK and Ireland operations.
As a direct consequence of the system isolation, there was no access to the affected systems, leading to a significant service outage for UK and Ireland customers. The company's login portals for other European countries remained operational and accessible, confirming the incident's scope was geographically limited to the UK and Ireland division. On April 10, 2023, SD Worx began formally notifying its customer base of the cyberattack and the subsequent shutdown. The company expressed regret for the disruption and emphasized its commitment to handling the situation with the highest priority. Their communications stated that extremely stringent organisational and technical security measures were normally applied to secure customer data and privacy.
The nature of the sensitive data managed by SD Worx, as outlined in the company's general conditions, was a significant point of concern due to the attack. This data potentially included a wide array of personal and financial information such as tax details, government identification numbers, home addresses, full names, dates of birth, telephone numbers, bank account numbers, and employee evaluations. The compromise of such information could have severe consequences for the individuals involved. Following the attack, a customer expressed concern to media outlets that sensitive data may have been stolen during the incident, highlighting the potential risk of a data breach.
However, later on April 10, SD Worx provided an update on its investigation into the incident. The company confirmed that the attack was not a ransomware incident. Furthermore, they stated that at that time, there was no evidence to assume that any data had been compromised. The company clarified that the reason for preemptively isolating its systems was to mitigate any further impact and to allow for an adequate assessment of the threat. The investigation into the case was stated to be ongoing as of that date. The incident drew parallels to previous cyberattacks against other payroll and HR management companies, such as the 2021 attacks on PrismHR and Kronos, which resulted in massive customer outages and, in the latter case, a class action lawsuit filed against the company. The primary impact of the SD Worx incident was a service disruption, forcing the company to work on restoring system access for its affected customers while its security team continued its investigation into the malicious activities.