Serco Inc., the American division of the multinational outsourcing company Serco Group, has disclosed a significant data breach that impacted over 10,000 individuals.
Furthermore, the breach was a result of attackers targeting a third-party vendor’s MoveIT managed file transfer (MFT) server, leading to the theft of personal information. The compromised data included names, U.S. Social Security Numbers, dates of birth, home mailing addresses, Serco and personal email addresses, as well as selected health benefits for the year. Serco clarified that their own systems remained unaffected, and the breach occurred solely through the vendor, CBIZ’s platform.
At the same time, the breach was reported through a notification filed with the Office of the Maine Attorney General. Serco stated that CBIZ, their benefits administration provider, had experienced a ransomware attack and data breach. The incident had begun in May 2023, and CBIZ took action to mitigate it on June 5, 2023.
Serco expressed their commitment to cooperating with CBIZ to thoroughly investigate the breach and assess the full extent of the incident. Ensuring that CBIZ has implemented adequate security measures to prevent future incidents is a top priority.
The data breach holds significant implications due to Serco’s client roster, which includes numerous U.S. federal agencies, intelligence agencies, and branches of the armed forces, along with various state and local governments in the U.S. and the Canadian government.
Additionally, Serco provides services to prominent commercial customers such as Pfizer, Capital One, and Wells Fargo. As a company with global reach, Serco employs over 50,000 people across 35 countries and had a substantial annual revenue of over $5.7 billion in 2022. The breach raises concerns about the security of third-party vendors and underscores the importance of robust cybersecurity measures in safeguarding sensitive data.
As the investigation unfolds, Serco is working closely with CBIZ, and a cybersecurity firm is conducting an extensive inquiry into the matter. The incident serves as a reminder of the constant threat posed by cyber attackers and the need for companies to remain vigilant in protecting both their own systems and the data entrusted to them by clients and customers.