Customer Care Giant TTEC Hit By Ransomware – Krebs on Security

TTEC, [NASDAQ: TTEC], a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, handles interruptions from a network security incident due to a ransomware attack, KrebsOnSecurity has learned.

While many companies have laid off or laid off workers in response to the Coronavirus pandemic, TTEC has hired massively. Formerly TeleTech Holdings Inc., Englewood, Co.-based TTEC now has nearly 60,000 employees, most of whom work from home and answer customer support calls on behalf of a large number of name brands, e.g. Bank of america, Best buy, Credit Karma, Dish network, Permanent Emperor, USAA and Verizon.

On September 14, KrebsOnSecurity heard from a reader who passed on an internal message apparently sent by TTEC to certain employees about the status of a widespread system outage that began on Sunday, September 12.

“We continue to address system outages affecting network access, applications and customer support,” reads an internal message sent by TTEC to certain employees.

TTEC has not responded to requests for comment. A phone call to the media contact number listed on a TTEC revenue statement in August 2021 generated a message that it was a non-functioning number.

[Update, 6:20 p.m. ET: TTEC confirmed a ransomware attack. See the update at the end of this piece for their statement]

TTEC’s own message to employees suggests that the company’s network may have been hit by the ransomware group “Ragnar Locker” (or also by a rival ransomware gang pretending to be Ragnar). The announcement urged employees to avoid clicking on a file that may have suddenly appeared in their Windows Start menu called “! RA! G! N! A! R!”

“DO NOT click on this file,” was the message. “It is an annoying message file and we are working to remove it from our systems.”

Ragnar Locker is an aggressive ransomware group that typically demands cryptocurrencies for millions of dollars in ransom. In a statement released on the group’s darknet leak site this week, the group threatened to release the full data on victims seeking help from law enforcement and investigative agencies following a ransomware attack.

One of the messages sent to TTEC employees contained a link to one Zoom video conference line at Clicking on this link opened a Zoom session where several TTEC employees who shared their screens took turns using the company’s Global Service Desk, an internal TTEC system for tracking customer support tickets.

TTEC staff appear to be using the Zoom conference line to report the status of various customer support teams, most of which are currently “unable to work”.

Eg. TTEC’s Service Desk reports that hundreds of TTEC employees assigned to work with Bank of America’s prepaid services are unable to work because they cannot remotely connect to TTEC’s customer service tools. More than 1,000 TTEC employees are currently unable to perform their normal customer support work for Verizon, according to Service Desk data. Hundreds of employees tasked with handling calls to Kaiser Permanente are also unable to work.

“They have been radio silent all week except to inform employees to take another day off,” said the source, who passed on the TTEC messages, which spoke to KrebsOnSecurity on condition of anonymity. “As far as I know, all low-level employees have one more day off today.”

The extent and severity of the incident at TTEC is still unknown. It is common for companies to disrupt critical systems in the event of a network breach, as part of a larger effort to stop the evil from spreading elsewhere. Sometimes interrupting everything actually helps, or at least helps prevent the attack from spreading to partner networks. But it is the same connections to partner companies that cause concern in the event of TTEC’s ongoing disruption.

Meanwhile, if you are so unlucky as to have to call a customer service today, there is a better than even chance that you will experience …. Wait for it … longer than usual.

This is an evolving story. Further details or updates will be noted here with a date and time stamp.

Update, 17:37 ET: TTEC responded with the following statement:

TTEC is committed to cyber security and to protecting the integrity of our customers’ systems and data. We recently became aware of a cybersecurity incident that has affected certain TTEC systems. Although some of our data was encrypted as a result of the incident and business activities at several facilities were temporarily interrupted, the company continued to service its global customers. TTEC immediately activated its information security incident response business continuity protocols, isolated the systems involved and took other appropriate measures to contain the incident. We are now in the process of carefully and deliberately restoring the systems that have been involved.

We also initiated an investigation, typically under the circumstances, to determine the potential consequences. By serving our clients, TTEC generally does not maintain our customers ‘data, and the survey to date has not identified a compromise with customers’ data. This study is ongoing and we will take further action based on the results of the study as needed. This is all the information we need to share until our investigation is completed.


Leave a Reply

Your email address will not be published.