TTEC, [NASDAQ: TTEC], a company used by some of the world’s biggest brands to help manage customer support and online and phone sales, is facing disruption due to a network security incident resulting from a ransomware attack, has learned KrebsOnSecurity.
While many companies have laid off or fired workers in response to the coronavirus pandemic, TTEC is hiring heavily. Formerly TeleTech Holdings Inc., based in Englewood, Co., TTEC now has nearly 60,000 employees, most of whom work from home and answer customer support calls on behalf of a number of branded companies, such as Bank of America, Best buy, Credit Karma, Network of dishes, Kaiser Permanente, United States and Verizon.
On September 14th, KrebsOnSecurity heard a reader that transmitted an internal message apparently sent by TTEC to some employees regarding the status of a generalized system failure that began on Sunday, September 12th.
“We continue to deal with the system failure impacting access to the network, applications and customer support,” reads an internal message sent by TTEC to some employees.
TTEC did not respond to requests for comment. A phone call to the media contact number listed on an August 2021 TTEC earnings release produced a message that it was a non-functional number.
[Update, 6:20 p.m. ET: TTEC confirmed a ransomware attack. See the update at the end of this piece for their statement]
TTEC’s own message to employees suggests that the corporate network may have been affected by the “Ragnar Locker” ransomware group (or a rival ransomware gang masquerading as Ragnar). The post urged employees to avoid clicking on a file that might have suddenly appeared in their Windows start menu called “! RA! G! N! A! R!”
“DO NOT click on this file,” reads the notice. “This is a harmful message file and we are working to remove it from our systems. “
Ragnar Locker is an aggressive ransomware group that typically demands millions of dollars of cryptocurrency in ransom payments. In an announcement posted on the group’s darknet leak site this week, the group threatened to release full data of victims seeking help from law enforcement and investigative agencies following a ransomware attack.
One of the text messages sent to TTEC employees included a link to a Zoom videoconferencing line at ttec.zoom.us. Clicking on this link opened a Zoom session in which several TTEC employees who shared their screens took turns using the company’s Global Service Desk, an internal TTEC system for tracking customer support tickets.
TTEC employees appear to be using the Zoom conference line to report the status of various customer support teams, most of which are reporting “unable to work” at this time.
For example, the TTEC Service Desk reports that hundreds of TTEC employees assigned to Bank of America prepaid services cannot work because they cannot remotely connect to TTEC customer service tools. More than 1,000 TTEC employees are currently unable to perform their normal customer support work for Verizon, according to service desk data. Hundreds of Kaiser Permanente call management employees are also unable to work.
“They were radio silent all week except to advise employees to take another day off,” said the source who relayed the messages to TTEC, who spoke to KrebsOnSecurity on condition of anonymity. “As far as I know, all lower level employees have another day off today.”
The extent and severity of the incident at TTEC remains unknown. It’s common for businesses to take critical systems offline when a network intrusion occurs, as part of a larger effort to prevent evil from spreading elsewhere. Sometimes disconnecting everything actually helps, or at least helps prevent the attack from spreading to partner networks. But it is these same links with partner companies that are causing concern in the case of the ongoing outage of TTEC.
In the meantime, if you’re unlucky enough to need to make a customer service call today, there’s a good chance you will experience… wait… longer wait times than usual.
This is a developing story. Further details or updates will be noted here with a timestamp.
Update, 5:37 p.m. ET: TTEC responded with the following statement:
TTEC is committed to ensuring cybersecurity and protecting the integrity of its customers’ systems and data. We recently learned of a cybersecurity incident that affected some TTEC systems. Although as a result of the incident some of our data was encrypted and business operations at several facilities were temporarily suspended, the company continues to serve its global customers. TTEC immediately activated its information security incident response business continuity protocols, isolated the systems involved, and took other appropriate actions to contain the incident. We are now in the process of carefully and deliberately restoring the systems that were involved.
We also launched an investigation, typical in the circumstances, to determine the potential impacts. In serving our customers, TTEC, in general, does not retain our customer data, and the investigation to date has not identified any compromise to customer data. This investigation is ongoing and we will take further action, if necessary, based on the results of the investigation. This is all the information we need to share until our investigation is complete.