In a series of data breach notifications, IT services giant Cognizant has stated that unencrypted data was most likely accessed and stolen during an April Maze Ransomware attack.

Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.

As a managed service provider (MSP), Cognizant remotely manages many of its clients to fix issues, install patches, and monitor their security.

On April 17th, Cognizant began emailing their clients to warn them that they were under attack by the Maze Ransomware so that they could disconnect themselves from Cognizant and protect themselves from possibly being affected.

This email also contained indicators of compromise that included IP addresses utilized by Maze and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These IP addresses and files are known to be used in previous attacks by the Maze ransomware actors.

While Cognizant stated that it was an attack by Maze, the Maze operators told BleepingComputer at the time that they weren’t behind the attack.

Unencrypted data most likely were stolen

In two data breach notification letters [1, 2] filed with the Office of the Attorney General of California, Cognizant states that the Maze Ransomware operators were active on Cognizant’s network between April 9th and the 11th.

During the time they had access, they “likely exfiltrated a limited amount of data from Cognizant’s systems.”

Before deploying ransomware and encrypting devices, the Maze Ransomware operators will first spread laterally through the network and steal unencrypted files.

These stolen files are then used as an extortion tactic by threatening to publicly release the data on the Maze data leak site if the victim does not pay the ransom.

In the data breach notifications, Cognizant warned sensitive personal information such as SSN, Tax IDs, financial information, and driver’s licenses, and passports may have been stolen.

“We have determined that the personal information involved in this incident included your name and one or more of: your Social Security number and/or other tax identification number, financial account information, driver’s license information, and/or passport information,” the Cognizant customer data breach notification stated.

For employees who have corporate credit cards, Cognizant warned that they were likely exposed during the attack.

“The majority of the personal information that was impacted was information relating to our corporate credit cards. Out of an abundance of caution, we are giving notice to all associates who have an active corporate credit card. All associates who have an active corporate credit card will be offered credit and identity theft monitoring services from ID Experts”

The information contained in this website is for general information purposes only. The information is gathered from Cyber GOV AU, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.