A cyberattack on Manpower’s franchise office in Lansing, Michigan, resulted in unauthorized network access between late December 2024 and mid-January 2025. The breach, attributed to the ransomware group **RansomHub**, compromised the personal data of **144,189 individuals**, including employees and potentially customers. The incident was discovered after an IT outage on January 20, 2025. While isolated to the franchise’s independent data platform, the attack exposed sensitive information, prompting Manpower to offer **one year of free credit monitoring and identity theft protection** to affected individuals. The company reported the incident to the FBI and is cooperating with investigations. The breach underscores vulnerabilities in franchise-level cybersecurity and the escalating threat of ransomware-driven data exfiltration.
Source: https://hackread.com/manpower-data-breach-workday-3rd-party-crm-hack/
TPRM report: https://www.rankiteo.com/company/manpowergroup
"id": "man847081825",
"linkid": "manpowergroup",
"type": "Ransomware",
"date": "12/2024",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '144,189 individuals',
'industry': 'Human Resources / Staffing',
'location': 'Lansing, Michigan, USA',
'name': 'Manpower (Lansing, Michigan franchise)',
'type': 'Staffing Agency (Franchise)'},
{'industry': 'Enterprise Cloud Applications (HR, '
'Finance)',
'location': 'Pleasanton, California, USA',
'name': 'Workday',
'type': 'Public Company'}],
'attack_vector': ['Network Intrusion (likely via unpatched vulnerability or '
'phishing)',
'Social Engineering (impersonating IT support via fake '
'calls)'],
'customer_advisories': ['Free credit monitoring and identity theft protection '
'offered',
'No customer data accessed (per Workday)'],
'data_breach': {'data_exfiltration': ['Likely (claimed by RansomHub)',
'Yes (but limited to contact details)'],
'number_of_records_exposed': ['144,189'],
'personally_identifiable_information': ['Yes',
'No (only business '
'contacts)'],
'sensitivity_of_data': ['High (personal data)',
'Low (business contact info only)'],
'type_of_data_compromised': ['Personal data (unspecified '
'fields)',
'Business contact details '
'(names, emails, phone '
'numbers)']},
'date_detected': ['2025-01-20'],
'description': ['Manpower, a leading staffing firm, announced that a '
'cyberattack on one of its franchise offices in Lansing, '
'Michigan, exposed the personal data of 144,189 people. The '
'company discovered the unauthorized access on January 20, '
'2025, after an IT outage. A subsequent investigation found '
'that a hacker had been in their network from late December '
'2024 to mid-January 2025. The group RansomHub claimed '
'responsibility. Manpower is providing free credit monitoring '
'and identity theft protection for one year and has informed '
'the FBI.',
'Workday revealed a data breach related to a third-party CRM '
"platform, part of a 'social engineering campaign' targeting "
'many large organizations. Hackers accessed basic business '
'contact details (names, emails, phone numbers), but Workday '
'stated there is no sign that customer data was accessed. The '
'breach is linked to the ShinyHunters group, known for '
'impersonating IT support to access corporate databases. '
'Workday acted quickly to revoke access and added '
'safeguards.'],
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'data exposure',
'Potential reputational damage due to '
"association with ShinyHunters' "
'broader campaign'],
'data_compromised': ['Personal data of 144,189 individuals',
'Basic business contact details (names, '
'emails, phone numbers)'],
'downtime': ['IT outage reported (duration unspecified)'],
'identity_theft_risk': ['High (credit monitoring offered to '
'affected individuals)',
'Low (only business contact details '
'exposed)'],
'legal_liabilities': ['Potential regulatory scrutiny (e.g., state '
'data breach laws)'],
'operational_impact': ['Isolated to franchise; no impact on '
'ManpowerGroup’s corporate network',
'No impact on Workday’s core customer '
'tenants or data'],
'systems_affected': ['Franchise office network (Lansing, Michigan)',
'Third-party CRM platform']},
'initial_access_broker': {'entry_point': ['Third-party CRM platform (via '
'social engineering)'],
'high_value_targets': ['Business contact databases'],
'reconnaissance_period': ['Late December 2024 to '
'mid-January 2025']},
'investigation_status': ['Ongoing (FBI involved)',
'Completed (access revoked, safeguards added)'],
'motivation': ['Financial gain (ransomware) / Data theft',
'Data theft / Corporate espionage'],
'post_incident_analysis': {'corrective_actions': ['Added extra safeguards to '
'CRM platform'],
'root_causes': ['Social engineering vulnerability '
'(employees tricked into divulging '
'credentials)']},
'ransomware': {'data_exfiltration': ['Likely (claimed by RansomHub)']},
'references': [{'source': 'Hackread.com'},
{'source': 'Manpower Public Statement'},
{'source': 'Workday Public Statement'}],
'regulatory_compliance': {'regulations_violated': ['Potentially state data '
'breach laws (e.g., '
'Michigan)']},
'response': {'communication_strategy': ['Public disclosure (via spokesperson)',
'Public statement'],
'containment_measures': ['Access to compromised CRM platform '
'revoked'],
'enhanced_monitoring': ["Likely (implied by 'extra safeguards')"],
'incident_response_plan_activated': ['Yes (investigation '
'launched post-detection)',
'Yes (access revoked, '
'safeguards added)'],
'law_enforcement_notified': ['Yes (FBI informed)'],
'recovery_measures': ['Free credit monitoring and identity theft '
'protection for 1 year'],
'remediation_measures': ['Added extra safeguards against similar '
'incidents']},
'threat_actor': ['RansomHub', 'ShinyHunters'],
'title': ['Cyberattack on Manpower’s Michigan Office Compromises Data for '
'144,000 People',
'Workday Data Breach in Widespread Social Engineering Scam'],
'type': ['Data Breach / Ransomware Attack',
'Data Breach / Social Engineering Attack'],
'vulnerability_exploited': ['Human vulnerability (tricking employees into '
'divulging credentials)']}