IT major Cognizant has been hit by a ransomware attack that compromised personal information of a huge chunk of its corporate credit cards, which were issued to its employees.
The attack by the Maze ransomware occurred in April, and Cognizant informed its employees that their personal data including names and account numbers of company corporate credit cards was compromised.
“A limited amount of personal data (of associates) was compromised before the attack was contained on May 1. Vast majority of the information consisted of names and account numbers (and no other personal information) from some American Express cards,” reports quote Cognizant as saying in a mail to employees.
Cognizant is expected to take an impact of loss of $50-$70 million in its revenues in the current quarter. The company has roped in FBI to investigate the matter.
There is no information on whether the impacted employees were only based in the US, or if employees from other grographies were impacted as well.
Cognizant has also told its employees that those who held the corporate credit card will be given access to credit card monitoring, dark web monitoring, and restoration services for free, even to those whose data was not compromised in the attack.
The company has also said that it has identified some employees whose personal data beyond credit card information has been exposed.
“Out of an abundance of caution, we are giving notice to all associates who have an active corporate credit card,” Becky Schmitt, chief people officer at Cognizant said in the email to employees.
“The small number of associates who have had other kinds of personal information exposed will be notified directly by June 24, 2020, and will also receive complimentary identify theft protection,” the company reportedly said.
This reportedly includes information such as tax IDs, social security numbers, passport data, driver’s licence information, among others.
According to a news website CRN, Cognizant has filed two letters with California state regulators where it has disclosed the theft. Of the two, one is a letter addressed to company employees informing them about the theft, while the second letter is addressed to those impacted by the attack.