California-based professional employer organization hacked by TheDarkOverlord; thousands of employees’ files stolen
TheDarkOverlord (TDO) has been busy, it seems. In the past month or so, the hackers – who have seemingly managed to continue to evade capture by law enforcement – have revealed a number of hacks never previously disclosed by them.
Earlier today, DataBreaches.net reported on TDO’s hack of Caribbean Island Properties. But at the same time that DataBreaches.net learned of the CIP hack, this site also received an e-mail sent from the account of Rebecca Shields, the principal of another firm, Prime Staff Inc. Shield’s e-mail consisted of one word, “HELP,” which appeared above the text of what purported to be a communication from TheDarkOverlord.
According to public records, Prime Staff Inc. is a California domestic corporation with a mailing address at 1258 North San Dimas Canyon Road, San Dimas, California. The corporation listing was filed on July 7, 2011, and the company’s filing status is listed as Active. Prime Staff Inc. has one principal on record: Rebecca B. Gaspar from Upland. It appeared to be Ms Gaspar a/k/a Shields who reached out to DataBreaches.net, although it could have been TDO letting me know about the hack by emailing from her account.
DataBreaches.net responded to the e-mail and asked whether there was some safe way for Ms Shields to contact me or vice versa. In reply, DataBreaches.net received an e-mail that only said, “There’s no safe way to contact Shields.” At this point, then, it appears that TDO has complete control over the domain and mail server.
About Prime Staff Inc.
Prime Staff Inc. is a Professional Employer Organization (PEO). PEOs provide outsourced personnel and administrative services for both large corporations and SMBs. Businesses and PEOs develop “co-employment” relationships, which means that a business’s employees also become the PEO company’s employees. According to PEOcompare.com:
The PEO will take on many different clients, allowing them to pool one company’s employees with another’s. This helps lower risks and insurance costs. It also allows the PEO to propose a wide range of offerings, as well as access to benefit plans that a small business may not have been able to afford on its own.
Professional employer organizations are not bound by state borders or limited in the amount of employees they can accommodate, which is why many employers are beginning to see the tremendous value of their services.
Prime Staff Inc. has a number of reviews online, which generally range from poor (Yelp) to average (Indeed). Details of their operation were not available as all of their files and their site had been wiped out by TDO.
Unlike their communication to Caribbean Island Properties, TDO’s e-mail to Prime Staff does not provide any clue as to how they gained a foothold into their network. As with other “clients,” however, TDO gave the firm three options for payment.
TDO proposed a $50,000 USD amount for their Option 1, with the victim given one year to pay it off. If Prime Staff was willing to vouch for them with future clients, TDO indicated that they would reduce the amount to $37,500 USD (Option 2). The final option was a steeper discount: $25,000 USD in BTC to be paid by December 25. They also offered the firm a few other discount options, including a $10,000 refund if Shields were to convince any future “clients” to cooperate with them and accept their proposal:
If you choose one of the proposed options above, we agree that we’ll securely destroy all of the data and information that we’ve retrieved from you and we’ll make sure that all of this falls through the cracks and becomes forever lost in the darkness below, to not be brought up ever again (we need the storage space anyway, to have the room for our future activities – which don’t involve your companies, provided that one of our proposed options is agreed to and satisfied by the terms requested. We may even be willing to amend the terms of accord and satisfaction in the terms of compensation and time frames, if you ask nicely and if we’re entertaining a satisfied existence at that moment in time.
Consistent with their past activities, the missive contains some clear threats as to what non-cooperation would result in, e.g.,
Oh, and also, if you want your data back, you’ll be required to pay us for it, and since you ignored our SMS messages for hours, we deleted loads of it at random, so who knows what’s left? We’re only jesting. Don’t even bother trying to recover the data from your server drives because it’s been wiped with pseudo-random data which means it’s not recoverable. This wasn’t some flawed ransomware deployment. This was a fucking nuke going off. You’re fucked. If you want it back, you need us. If you don’t want it back, you need us to keep quite. Pay us.
The email ends with a now-familiar sigblock, and a cheeky, “P.S. Give us a follow on our Twitter (@tdo_hackers)!”
The full message to Prime Staff Inc. appears below, followed by the contract. TheDarkOverlord did not provide precise numbers, but informed this site that they had acquired thousands of employees’ personnel files and that they would be selling them on KickAss.TDO