Hackers phish Gannett Co. HR workers, leaking email login credentials

Dive Brief:

Cyber thieves attacked HR professionals at Gannett Company, Inc., compromising the personal information of 18,000 current and former employees, according to SHRM. The McLean, VA-based company publishes the Detroit Free Press, The Des Moines Register, USA Today and 200 other news sources.
SHRM says hackers, posing as high-level company officials, requested W-2 forms and other employment-related information. They broke into the HR staff’s email accounts, gaining access to employees’ Social Security numbers, financial information and other personal data.
Mostly junior HR professionals fell for the scam, which was discovered on March 30.

Dive Insight:

HR departments are an obvious target for hackers, given their possession of large volumes of employees' personal information. In a recent ransomware campaign, named GoldenEye, cyber criminals sent HR departments email applications and authentic-looking cover letters to trick HR staff into opening infected attachments.

This is only slightly different from what happened in Gannett's case, but both are clear examples of cyber phishing attacks. Employers may be most familiar with email phishing, but such attacks can happen via other mediums as well, including personal social media accounts.

HR executives and cybersecurity officers must step up measures to protect the workplace from hacker attacks and data breaches. HR departments are especially at risk, due to the dollar value placed on personally identifiable information in criminal circles.

Recruiters should be looking to hire more cybersecurity specialists. Employers need cybersecurity professionals to protect their data, but say that few people have the kind of expertise needed. Until more people are trained and hired for cybersecurity jobs, workplaces will remain vulnerable to attacks.