In a series of data breach notifications, IT services giant Cognizant has stated that unencrypted data was most likely accessed and stolen during an April Maze Ransomware attack.
Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.
As a managed service provider (MSP), Cognizant remotely manages many of its clients to fix issues, install patches, and monitor their security.
On April 17th, Cognizant began emailing their clients to warn them that they were under attack by the Maze Ransomware so that they could disconnect themselves from Cognizant and protect themselves from possibly being affected.
This email also contained indicators of compromise that included IP addresses utilized by Maze and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These IP addresses and files are known to be used in previous attacks by the Maze ransomware actors.
While Cognizant stated that it was an attack by Maze, the Maze operators told BleepingComputer at the time that they weren’t behind the attack.
Unencrypted data most likely were stolen
In two data breach notification letters [1, 2] filed with the Office of the Attorney General of California, Cognizant states that the Maze Ransomware operators were active on Cognizant’s network between April 9th and the 11th.
During the time they had access, they “likely exfiltrated a limited amount of data from Cognizant’s systems.”
Before deploying ransomware and encrypting devices, the Maze Ransomware operators will first spread laterally through the network and steal unencrypted files.
In the data breach notifications, Cognizant warned sensitive personal information such as SSN, Tax IDs, financial information, and driver’s licenses, and passports may have been stolen.
“We have determined that the personal information involved in this incident included your name and one or more of: your Social Security number and/or other tax identification number, financial account information, driver’s license information, and/or passport information,” the Cognizant customer data breach notification stated.
For employees who have corporate credit cards, Cognizant warned that they were likely exposed during the attack.
“The majority of the personal information that was impacted was information relating to our corporate credit cards. Out of an abundance of caution, we are giving notice to all associates who have an active corporate credit card. All associates who have an active corporate credit card will be offered credit and identity theft monitoring services from ID Experts”
For those affected, Cognizant is providing a free year of ID theft and dark web monitoring.
BleepingComputer suggests that victims utilize this free offer to detect and prevent threat actors from using the stolen information to open credit card accounts, bank accounts, or perform other identity theft.