Kelly & Associates Insurance Group (dba Kelly Benefits) has now confirmed that 553,660 people were impacted by a December 2024 data breach that compromised their personal information. This is an update to the 32,234 count they previously reported in April.
Jim Routh, Chief Trust Officer at Saviynt:
“The first thing for an enterprise to consider regarding this breach information is the fact that Kelly Benefits took such a long time to notify victims, the enterprises impacted, and the public (December 12, 2024 – April 9, 2025). The second is that it is common practice for these types of companies that provide benefits consulting, payroll, insurance, etc., to use SSNs to identify individuals across applications and records. That means that the attack surface for threat actors is significantly larger than necessary and highly profitable, given that SSNs are the easiest data elements to monetize for threat actors. The third is that these types of companies do not necessarily attract top cybersecurity talent nor are they known for providing adequate funding for cyber resilience. The combination of these three attributes makes for a company (in this case) attractive to cyber criminals, while individual consumers are at risk for personal data exposure.
“All enterprises should incorporate the application of lessons learned from control testing, tabletop sessions, and actual cyber incidents into their communication with existing and future customers. Enterprises that manage third-party risk are more receptive to third parties that apply the lessons learned from incidents. In the case of Kelly Services, this might include the elimination of SSNs in application files and moving this data to databases with different levels of encryption deployed, classified as restricted with the best controls. It might include an investment in mature privileged access management capabilities with continuous verification. Also, investment in more mature identity security practices using a data lake architecture with models to design more effective access controls.”
James McQuiggan, Security Awareness Advocate at KnowBe4:
“As with all data breaches, it’s the customers, clients, or users who are inconvenienced and impacted. If data has been exposed, vigilance is key to continually monitoring accounts, whether they’re financial, health-related, or email-based.
Cybercriminals or other scammers will leverage this data as they are getting more sophisticated with AI-generated emails, spoofed domains, and social engineering tactics.
“Ask yourself three questions before clicking or replying:
Was I expecting this message?
Is the request unusual, especially if it’s about money, credentials, or urgent action?
Can I verify the request through another channel?
“If anything seems off, report it. Don’t forward. Use your security team’s preferred method of communication, such as email, hotline, or internal tools.
Phishing remains the most effective way for attackers to bypass security controls. Training is beneficial, but maintaining constant awareness is key. These steps are not about paranoia. It’s about being prepared. Stay skeptical. Stay secure.”
The fact that the bad guys had such a head start means that victims really are in deep trouble here. The bad guys could be doing anything with the info that they swiped. And that’s a scenario that never ends well for the victims.
Related
This entry was posted on July 1, 2025 at 5:18 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Kelly Benefits 2024 Breach Now Impacts 550,000
Kelly & Associates Insurance Group (dba Kelly Benefits) has now confirmed that 553,660 people were impacted by a December 2024 data breach that compromised their personal information. This is an update to the 32,234 count they previously reported in April.
Jim Routh, Chief Trust Officer at Saviynt:
“The first thing for an enterprise to consider regarding this breach information is the fact that Kelly Benefits took such a long time to notify victims, the enterprises impacted, and the public (December 12, 2024 – April 9, 2025). The second is that it is common practice for these types of companies that provide benefits consulting, payroll, insurance, etc., to use SSNs to identify individuals across applications and records. That means that the attack surface for threat actors is significantly larger than necessary and highly profitable, given that SSNs are the easiest data elements to monetize for threat actors. The third is that these types of companies do not necessarily attract top cybersecurity talent nor are they known for providing adequate funding for cyber resilience. The combination of these three attributes makes for a company (in this case) attractive to cyber criminals, while individual consumers are at risk for personal data exposure.
“All enterprises should incorporate the application of lessons learned from control testing, tabletop sessions, and actual cyber incidents into their communication with existing and future customers. Enterprises that manage third-party risk are more receptive to third parties that apply the lessons learned from incidents. In the case of Kelly Services, this might include the elimination of SSNs in application files and moving this data to databases with different levels of encryption deployed, classified as restricted with the best controls. It might include an investment in mature privileged access management capabilities with continuous verification. Also, investment in more mature identity security practices using a data lake architecture with models to design more effective access controls.”
James McQuiggan, Security Awareness Advocate at KnowBe4:
“As with all data breaches, it’s the customers, clients, or users who are inconvenienced and impacted. If data has been exposed, vigilance is key to continually monitoring accounts, whether they’re financial, health-related, or email-based.
Cybercriminals or other scammers will leverage this data as they are getting more sophisticated with AI-generated emails, spoofed domains, and social engineering tactics.
“Ask yourself three questions before clicking or replying:
Was I expecting this message?
Is the request unusual, especially if it’s about money, credentials, or urgent action?
Can I verify the request through another channel?
“If anything seems off, report it. Don’t forward. Use your security team’s preferred method of communication, such as email, hotline, or internal tools.
Phishing remains the most effective way for attackers to bypass security controls. Training is beneficial, but maintaining constant awareness is key. These steps are not about paranoia. It’s about being prepared. Stay skeptical. Stay secure.”
The fact that the bad guys had such a head start means that victims really are in deep trouble here. The bad guys could be doing anything with the info that they swiped. And that’s a scenario that never ends well for the victims.
Share this:
Like this:
Related
This entry was posted on July 1, 2025 at 5:18 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.