Kelly Benefits Alerts Nearly 264,000 Individuals of Data Breach Incident

A Maryland-based provider of outsourced benefits and payroll management is notifying a select group of nine major clients and close to 264,000 affected individuals about a potential compromise of sensitive personal information resulting from a hack in December 2024. The incident marks a drastic escalation in the number of impacted individuals, with the current tally of 263,893 representing an increase from the earlier reported figure of 32,234 submitted to state regulators on April 9.

The breach notification was also communicated to the U.S. Department of Health and Human Services as a HIPAA violation, suggesting the seriousness of data exposure. Kelly & Associates Insurance Group, which operates under the name Kelly Benefits, detailed that the affected individuals were associated with a range of clients, including Amergis, CareFirst BlueCross BlueShield, and Guardian Life Insurance Co.

In its latest statement, Kelly Benefits indicated that unauthorized access to its IT infrastructure was detected between December 12 and December 17, during which certain files were accessed and potentially copied by attackers. Investigators are currently conducting a thorough examination of all affected files to ascertain the content and determine the individuals involved.

The nature of the compromised information varies but may encompass personal details such as names, Social Security numbers, dates of birth, and medical and financial data. In light of the incident, the firm has engaged with the FBI and is actively reassessing its security measures, policies, and tools to enhance its defenses against future attacks.

Legal ramifications are already materializing; the company faces at least one proposed federal class action lawsuit. This lawsuit alleges negligence in safeguarding personally identifiable information (PII) from unauthorized access, stressing that the risks of identity theft substantially linger even with proactive credit monitoring efforts.

Within the context of this breach, several potential techniques and tactics from the MITRE ATT&CK framework may have been utilized. Initial access could have been achieved through social engineering or exploiting vulnerabilities in software, while techniques for maintaining persistence may have enabled attackers to establish a foothold within the company’s systems for an extended period. Privilege escalation tactics might have been employed to gain deeper access to sensitive data, further exacerbating the breach’s impact.

The complexities of such data breaches underline the ongoing necessity for robust cybersecurity measures, particularly in sectors handling sensitive information. Business owners need to remain vigilant, ensuring that their security posture is not only reactive but also proactive, to mitigate similar risks in their organizations.