Staffing companies are becoming prime cyberattack targets. The costs to recover, rectify, and notify individuals whose information has been stolen is staggering.  By nature of their business, staffing companies must collect potentially sensitive information on new employees, current clients and contractors.  In addition to typical financial information, private personal information (often referred to as PPI) is also collected which includes gender, social security number, date of birth, etc.  This information makes staffing companies attractive to hackers who may deploy W-2 related scams. This can lead to expensive costs for the company, and for the person whose private information was stolen.

Cyber Extortion

The most common cyberattack is cyber extortion or ransom attack. Hackers often find free software on the internet and send emails to company employees with embedded links. Once clicked, a malware program can encrypt valuable company data making it no longer accessible to the company.  The hacker will then demand payment to return access to the affected data.

Navy recruitment offices in New Jersey experienced a data breach when two laptop computers with information on their applicants were stolen. The personal information of about 31,000 applicants and 4,000 Social Security number were ransomed.


According to, “90% of cyber-attacks start because of human error.” A breach can happen when a consultant clicks on something they’re not supposed to. This is typically by accident. An example of this includes clicking a malicious link in a phishing email; just one click can give hackers access to all your internal systems.

A staffing company employee inadvertently clicked on a link exposing the personnel records of nearly 10,000 personal records that were made available on the internet.  In this instance, in addition to the people affected by the breach, the Attorney General and national credit reporting bureaus needed to be alerted.

Once a Breach Happens

Once a company’s sensitive information is breached, legally the company must notify anyone whose PPI was exposed. In some cases, the Attorney General and national credit bureaus must be notified as well. To determine the scope of a breach, forensic specialists combined with a legal firm will likely be asked to conduct a review and notify affected individuals based on local state laws.

Cyberattacks cost staffing companies not just money, but also time and reputation. The materials costs can be exurbanite. These are potential costs* for a breach of 100,000 records:

  • Legal Fees: $40K
  • Forensic Investigations: $60K
  • Notification Mall Shot: $100K
  • ID Theft Monitoring: $100K
  • Call Center: $50K
  • Regulatory Fines/Penalties: $100K

*Cited from Evolve

In Marsh McLennan Agency’s Business Insurance State of the Market Report, catastrophic cyber related exposure concerns continue to mount in the insurance marketplace.  The good news is that many organizations have enhanced their security over the past year, and this can be leveraged in negotiations with carriers at renewal.  It is important to partner with a broker who can provide the expertise you need to minimize your company’s cyber risk. Contact an MMA advisor today for more information.

Related insights