Paycor Data Breach (March 2024)

What Happened?

Customers of Paycor HCM continue the recovery process after the company suffered a cybersecurity breach in the summer of 2023. Attackers were able to breach Paycor, among many other companies, thanks to a zero day vulnerability found in the MOVEit file transfer software.

Last summer a ransomware gang called Cl0p exploited the MOVEit vulnerability to breach a large number of organizations in both the private and public sector. Paycor was one of those organizations and their customers were greatly impacted by the breach.

Paycor began notifying its customers who may have had their data compromised. Other human capital management firms such as Zellis and Paycom were ensnared in the global cybersecurity incident as well.

Defender Recommendations

There are things that we can learn from this incident.

• Strong Incident Response Program: Proactive cybersecurity requires a robust incident response (IR) program. Develop playbooks specifically focused on third-party vendor exploitation to respond swiftly during critical moments.
• Crisis Communication Preparation and Playbook Review: Create crisis communication documentation in advance, including notification documents for regulators, customers, and the media. This incident serves as a good reminder to review your playbooks and be prepared. Train a team member in crisis communication to lead during incidents.
• Maintain Robust Patch Management: It’s crucial to establish and maintain a strong patching program, ensuring that patches are applied promptly and regularly. This is especially important for addressing critical or zero-day vulnerabilities, forming the foundation of effective cybersecurity practices.
• Strengthen Network Monitoring: Enhance your network monitoring capabilities to detect and respond to threats effectively. Utilize technologies such as:
  • Managed detection and response (MDR),
  • Endpoint detection and response (EDR), or
  • Security information and event management (SIEM)

  to proactively hunt for anomalies in your network. Quick detection allows for rapid remediation, but remember, don’t assume everything is well. It’s crucial to strike a balance in monitoring and managing your EDR/MDR/SIEM environments for optimal cybersecurity resilience.

• Implement Dark Web Monitoring: Incorporate dark web, deep web, or open web monitoring to enhance threat detection capabilities. This proactive approach helps detect potential vulnerabilities or leaks of sensitive information on the web quickly. By staying informed about vendor vulnerabilities or data leaks, you can respond promptly and mitigate potential risks to your organization.

If Defender can help guide you in any one of these areas, please feel free to reach out to us at memberservices@industrydefenders.com at any time.