Cardinal Services, Inc. has started issuing data breach notifications to 142,323 people following two separate cybersecurity incidents in 2025 — one in June and one in August. Ransomware group Rhysida claimed the first attack, issuing a $940,000 ransom demand. INC claimed the second.
In its notification, Cardinal Services states that:
On or around June 30, 2025, Cardinal became aware of unauthorized access it its systems. Upon learning of this issue, Cardinal immediately commenced an investigation into the incident and worked with external cyber security professionals experienced in handling these types of situations. During the investigation on August 8, 2025, Cardinal became aware of further unauthorized access to its systems and immediately worked with the cybersecurity professionals to secure its internal environment and continue its investigation to determine whether any personal or sensitive data was impacted as a result of the incidents.”
Exactly what data has been impacted in these incidents isn’t clear (the information is redacted in the notification) but Cardinal is offering those affected complimentary access to Epiq Privacy Solutions ID, which suggests sensitive data, such as Social Security numbers, could have been involved.
Rhysida added Cardinal Services to its data leak site in mid-July 2025, issuing an 8 bitcoin ransom demand worth $940,000 at the time. Included within its proof pack were screenshots of Social Security numbers, ID cards, a tax compliance certificate, and various other documents.
In mid-September 2025, INC also added Cardinal Services to its data leak site. It said 140 GB of data had been stolen.
Cardinal Services hasn’t confirmed either of these ransomware claims, nor has it said whether any ransoms were demanded and/or paid. Comparitech contacted Cardinal for more information and we’ll update this article if we receive a response.
Who is Rhysida?
Rhysida is thought to have ties to the ransomware group Vice Society and first originated in May 2023. Since then, we have logged 268 attacks via this group with 112 of these attacks being confirmed by the entity involved.
Heart South Cardiovascular Group and Phoenix Art Museum recently issued data breach notifications following 2025 attacks claimed by Rhysida, with 46,666 and 1,758 people affected, respectively.
So far this year, we have noted eight attacks via Rhysida with two of these attacks being confirmed. These are German tech company Elabs AG, and Canadian manufacturer STELIA Aerospace North America Inc.Â
Who is INC?
INC also emerged in 2023 (July) and has claimed 775 victims since then. Across these attacks, 188 have been confirmed by the entity involved.
Other recently confirmed attacks via the group include (all US-based):
- Sandhills Medical Foundation, Inc. – May 2025 – 169,017 people affected
- Cape Fear Country Club – January 2026
- Pulpdent Corporation – March 2026
- Central Medical Services of Westrock (CMSW) – May 2026
- Parker Lipman LLP – March 2026 – 1,120 people affected
So far this year, we’ve recorded 195 attacks via INC with 22 of these being confirmed.
Ransomware attacks on US companies
In 2025, we tracked 755 confirmed attacks on US companies and are monitoring a further 3,121Â unconfirmed attacks. Across the confirmed attacks, over 44.6 million records have been affected.
Other attacks that have been confirmed in recent weeks include:
- American Lending Center – July 2025 – 123,158 people impacted (hackers unknown)
- Fluke Corporation – August 2025 – 18,517 people impacted (claimed by Clop)
- US Tiger Securities Inc. – July 2025 – 26,985 people impacted (unknown hackers)
- Vacation Myrtle Beach – June 2025 – 10,750 people impacted (claimed by Play)
So far this year, we’ve noted 107 confirmed attacks and 1,387Â unconfirmed attacks.
About Cardinal Services, Inc.
Located in Coos Bay, Oregon, Cardinal Services is an employment services firm that specializes in helping organizations with their payroll, staffing, workers’ comp, and HR needs. It was established in 1984.
