RansomHub Compromised One of the World’s Largest Staffing Firms

ManpowerGroup, a global staffing giant, has disclosed a data breach impacting nearly 145,000 individuals. The breach was linked to a ransomware attack in late December 2024, and the RansomHub ransomware group has claimed responsibility for the attack. Manpower has since bolstered its IT defenses and involved the FBI in the investigation.

Severity Level: High

Incident Overview

• Date of Breach: December 29, 2024 – January 12, 2025
• Detection Date: January 20, 2025 (via IT outage investigation in Lansing, Michigan office)
• Data Breach Discovered: July 28, 2025
• Consumer notification: August 11, 2025
• Affected Individuals: 144,189
• Location Affected: Primarily the Lansing, Michigan office; broader global impact likely
• Group Involved: RansomHub Ransomware-as-a-Service (RaaS) operation
• Total Data Stolen: ~500GB
• Current Status: FBI engaged; credit monitoring offered through Equifax

Data Exposed During The Breach

The stolen data likely includes both personally identifiable information (PII) & corporate records.

• Personal Information: Passport scans, Social Security Numbers (SSNs), Government-issued Ids, Addresses, Contact details, Medical test results
• Corporate Information: Financial statements, HR data analytics, Years of internal and external communications, Confidential contracts and NDAs

Threat Actor Profile – RansomHub

• Type: Ransomware-as-a-Service (RaaS)
• First Active: February 2024
• Aliases: Previously known as Cyclops and Knight
• Known Tactics:
  • Multi-extortion: encryption + data theft + leak threats
  • Targeting critical infrastructure and large enterprises
  • Negotiation for ransom removal from leak sites
• High-Profile Victims: Halliburton, Rite Aid, Frontier Communications, Change Healthcare (190M impacted), Kawasaki, Christie’s Auction House, Planned Parenthood

Lessons Learned

• A delay of over 6 months between breach and notification highlights the need for faster forensics and reporting mechanisms.
• The theft of high-value PII (e.g., SSNs, IDs, medical results) reinforces the need for encrypted storage, rigorous key management, and data minimization practices.

Recommendations

1. Use strong encryption protocols for PII, HR records, financial documents, and confidential agreements.
2. Limit the collection and retention of PII to what is legally and operationally necessary.
3. Maintain a Data Loss Prevention (DLP) program to monitor and block exfiltration attempts.
4. Maintain an up-to-date, tested incident response plan specifically for ransomware, include containment, eradication, and communication plans.
5. Align with regulations (e.g., GDPR, CCPA, HIPAA) for timely and transparent disclosure to regulators and affected individuals.
6. Manpower encourages affected individuals to enroll in the complimentary credit protection services they are offering.
7. As a precautionary measure, Manpower recommends that you remain vigilant by reviewing your account statements and credit reports closely. Affected individuals can consider placing a fraud alert on their credit report. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission (the “FTC”).

Source:

• https://www.bleepingcomputer.com/news/security/manpower-staffing-agency-discloses-data-breach-after-attack-claimed-by-ransomhub/
• https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/7f78311b-64ff-4436-82b7-187ed0d23685.html
• https://regmedia.co.uk/2025/08/12/manpower_data_breach_notification_letter.pdf
• https://www.theregister.com/2025/08/12/manpower_franchise_data_breach/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.