03-04-2021 , 12:00 AM
Quote:Leading payroll company PrismHR is suffering a massive outage after suffering a cyberattack this weekend that looks like a ransomware attack from conversations with customers.
PrismHR is an online payroll, benefits, and human resources platform used by Professional employer organizations (PEO). PEOs use this platform to provide payroll, HR, and benefits services to their clients, commonly small and medium-sized businesses.
PrismHR is a massive business services company servicing over 80,000 organizations with 2 million employees and total annual payrolls of over $80 billion.
If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at [color=var(--theme-link_a)]+16469613731 or on Wire at @lawrenceabrams-bc.[/color]
Weekend cyberattack
In numerous conversations with PEOs and their clients today, BleepingComputer has learned that PrismHR suffered a cyberattack on Sunday.
For PEOs using PrismHR's platform, they are given a dedicated subdomain on prismhr.com that hosts their client portal. This attack has caused PEOs, and their clients, to lose access to PrismHR's customer portals, which are now displaying the following message:
We're Working on Getting the System Back Online
The system you are attempting to access is currently unavailable. We're sorry for the inconvenience and appreciate your continued patience as we work to restore the system to operation as quickly as possible.
Those PEOs who host the PrismHR software in their own cloud infrastructure are unaffected.
In email templates provided by PrismHR, PEOs are telling clients that PrismHR "is currently experiencing an interruption of service impacting over 200 PEOs across the United States."
The emails say that payroll will not be affected this week and that they are waiving administrative fees for the current payroll period due to the outage.
While these emails do not indicate that an attack occurred, clients' phone conversations with PEOs paint a different picture than a simple outage.
According to PEO employees and their clients, PrismHR has told them that they suffered a "suspicious activity" activity over the weekend and immediately shut down their servers and network to protect the "integrity of their systems."
BleepingComputer was told that PrismHR is now restoring their systems from backups located on disaster recovery systems.
PrismHR has told customers that their data was not stolen during the attack.
When BleepingComputer contacted PrismHR with questions regarding this attack, they confirmed the attack occurred on February 28th, 2021. However, PrismHR would not share further details other than the statement below.
"We recently experienced a cyber incident that affected our payroll and benefits software used by Professional Employer Organizations (PEOs) throughout the US. We immediately disabled access to the system to protect customer information and engaged top-tier security experts to help on this. We are working quickly to restore customer access to our platform. While we are still looking into this, there is currently no evidence of unauthorized access or theft of data contained on our servers." - PrismHR
Likely a ransomware attack
While PrismHR has not specified what kind of cyber incident was detected, from the details shared with BleepingComputer, this is likely a ransomware attack.
Most enterprise-targeting ransomware attacks occur over the weekend while employees are not present, computers are not being used, and there is less attention paid to the network.
This decrease in monitoring allows threat actors who have been lurking quietly on the network to begin the process of noisily deploying the ransomware to encrypt systems.
Unfortunately, before encrypting devices, most ransomware gangs steal unencrypted data to be used in double-extortion attacks.
If this turns out to be a ransomware attack, the nature of PrismHR's business could make this disastrous.
Considering that the PrismHR handles the payroll, benefits, and human resources for thousands of organizations, they would also have very sensitive information stored in their systems.
This data may include social security numbers, payroll, ID cards, employee benefit information, information for beneficiaries, and a wide assortment of other sensitive information.
While PrismHR has told clients that there has not been a breach of data and that payroll is secure, we will not know for sure unless the ransomware gangs leak the data.
Update 3/2/21: Added info that self-hosted PrismHR customers are unaffected.
Source