Oregon-based employment and staffing firm Cardinal Services, Inc. has begun notifying 142,323 individuals that their personal information was exposed in two separate cybersecurity incidents in 2025. Ransomware gang Rhysida claimed the first intrusion in June and issued an 8 BTC ransom demand worth roughly $940,000, while the INC ransomware group claimed the second incident in August, alleging exfiltration of 140 GB of data.
What Happened
Cardinal Services first detected unauthorized access to its systems on or around June 30, 2025, and engaged external cybersecurity professionals to investigate. While that investigation was still ongoing, the firm discovered a second unauthorized intrusion on August 8, 2025, prompting another round of containment and forensic work. Rhysida added Cardinal Services to its dark web leak site in mid-July 2025, and INC followed by listing the company in mid-September 2025. Cardinal has not publicly confirmed either ransomware claim, nor disclosed whether any ransom was demanded or paid in the second incident.
What Was Taken
The specific data categories are redacted in the public breach notification, but Cardinal is offering affected individuals complimentary access to Epiq Privacy Solutions ID, a credit monitoring and identity protection service typically reserved for incidents involving Social Security numbers or comparable identifiers. Rhysida's proof pack on its leak site included screenshots of Social Security numbers, government ID cards, a tax compliance certificate, and additional internal documents. INC claims to have stolen 140 GB of corporate data. Given Cardinal's role as an employment and staffing provider, the exposed population likely includes current and former employees, contract workers, and client records containing sensitive HR and tax data.
Why It Matters
Two distinct ransomware groups successfully compromising the same victim within roughly six weeks is a strong indicator of unresolved access pathways, lingering persistence, or shared initial access broker infrastructure. For defenders, this case underscores that incident response and eradication are not complete when the first attacker is evicted: residual credentials, web shells, or unpatched footholds can be resold or independently rediscovered. Employment and staffing firms are particularly attractive targets because they aggregate tax IDs, payroll data, and personally identifiable information for tens of thousands of individuals across multiple client organizations, multiplying downstream identity theft and fraud risk.
The Attack Technique
Neither Cardinal Services nor the threat actors have publicly disclosed the initial access vector for either incident. Rhysida, active since May 2023 and believed to have ties to the Vice Society group, typically gains initial access through phishing, exploitation of internet-facing services, and valid credentials purchased from initial access brokers, followed by Cobalt Strike deployment, lateral movement via RDP and PsExec, and double-extortion data exfiltration before encryption. INC Ransom, which emerged in July 2023, similarly leans on exploitation of public-facing applications such as Citrix NetScaler and unpatched VPN appliances, along with spear-phishing, before using legitimate administrative tooling for lateral movement. The short window between the two intrusions suggests the second actor may have leveraged access that was never fully remediated after the first.
What Organizations Should Do
- Conduct full credential resets and session token invalidation across all enterprise identity providers, VPNs, and remote access tooling following any confirmed intrusion, not just the accounts known to be compromised.
- Perform threat hunting for residual persistence mechanisms such as scheduled tasks, web shells, rogue service accounts, and unauthorized SSO application registrations after eviction.
- Patch and audit internet-facing appliances, particularly VPN concentrators, Citrix NetScaler, and file transfer products, which Rhysida and INC frequently exploit.
- Deploy EDR with behavioral detections tuned for Cobalt Strike beacons, PsExec abuse, and rapid file enumeration patterns associated with double-extortion ransomware.
- Segment HR, payroll, and tax systems from general corporate networks and apply strict access controls and DLP monitoring on bulk PII repositories.
- Engage a qualified third party for post-incident assurance rather than relying solely on internal validation that eradication was successful.