HR firm confirms 4M records exposed in major hack

Even firms entrusted with managing personal information are not immune. The latest example is VeriSource Services, a Texas-based employee benefits and HR administration provider that experienced a major data breach. 

Somehow, it took VeriSource over a year to determine the full scope of the breach, including the identification all individuals who had their information exposed.

What worries me the most is the delay in fully notifying everyone affected. VeriSource had sent out preliminary breach notices to about 55,000 people in May 2024 and then to another 112,000 people in September 2024. However, those early notifications covered only a small fraction of the approximately 4 million victims eventually identified. This means the majority of affected individuals did not learn of the breach until the final notification wave in April 2025, more than a year after the data was actually compromised.

We reached out to VeriSource for a comment but did not hear back before our deadline.

If you think you were affected by the VeriSource data breach or just want to be cautious, here are some steps you can take right now to stay safe from the data breach:

3. Set up fraud alerts: Requesting fraud alerts notifies creditors that they need extra verification before issuing credit in your name. You can request fraud alerts through any one of the three major credit bureaus. They'll notify the others. This adds another layer of protection without completely freezing access to credit.  

5. Be wary of social engineering attacks and use strong antivirus software: Hackers may use stolen details like names or birthdates from breaches in phone scams or fake customer service calls designed to trick you into revealing more sensitive info. Never share personal details over unsolicited calls or emails. Also, never click on unexpected links or attachments in emails, texts or messages because they may contain malware or lead to phishing sites designed to steal your information. 

What stands out in the VeriSource breach isn't just the scale, but the silence. When a company sits on breach data for over a year, regardless of intent, it erodes trust in systems designed to protect workers. These aren't just compliance failures. They're human ones. Four million people had their most sensitive information exposed, and for many of them, the warning came far too late. This should be a moment of reckoning for how organizations define responsibility after a breach. A timely response isn't just good PR. It's a baseline expectation. And if it takes over a year to realize the full scope of a cyberattack, maybe the incident isn't the only vulnerability worth addressing.

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.