Cornerstone Staffing Solutions, a nationwide US employment agency and tech recruiter, is allegedly breached by the Qilin ransomware group, which claims to have pilfered the “personal resumes” of over 120,000 job seekers, along with over 1 million company files.

The notorious Qilin gang posted the industry-leading recruitment agency on its dark leak blog on Thursday.

The group claims to have exfiltratred 300 GB of sensitive information from Cornerstone, including the employment resumes of 120,000 individuals that were stored in the agency’s network systems.

The resumes are part of a purported stolen cache of roughly 1 million files, which is also said to contain nearly 24 million pieces of personal information, the group wrote in red letters across the top of one of the proof samples it provided.

Cybernews has reached out to Cornerstone, but has not heard back at the time of this report.

Headquartered in the San Francisco Bay area, Cornerstone is a massive agency with staffing locations across the US, including eight offices in California, three in Michigan, and offices in Arizona, Maryland, Nevada, New Jersey, and Texas.

First established in 2003, Cornerstone claims to help place 10,000 job seekers each year, from temporary to direct-hire positions, and on-site staffing for larger companies, according to its website.

The company specializes in technology and engineering recruitment, staffing, and consulting, as well as other niche industries, including logistics & transportation, manufacturing & light industrial, sales & business development.

Personal data exposed includes SSNs

In total, Qilin provides a sample of 13 documents in the Cornerstone leak post.

One document appears to show a list of resumes saved as files in PDF format – with each file labeled as the person's first and last name, followed by Resume.pdf – JohnSmith/Resume.pdf – leaving little to the imagination.

Besides resumes containing troves of information that could provide cybercriminals with months' worth of targeted phishing material, samples of databases filled with sensitive information were also presented by the group.

Personal information exposed by Qilin includes names, Social Security numbers, street addresses, email addresses, telephone numbers, branch locations, and Employee ID numbers, although it is unclear whether the PII belongs to job seekers or actual Cornerstone employees.

Several files show lists of Cornerstone employees, including names, job titles, salary information, and signed confidentiality agreements.

Other documents Cyberbews could examine appeared to be company invoices, bank account statements, internal banking ledgers, 2024 sales budgets, and overhead for each Cornerstone location.

Qilin ransomware gang dominates 2025

The Qilin gang first appeared on the ransomware circuit in 2022, but its dark leak site claims that it began operating in 2021.

The Russian-linked cartel has aggressively outperformed its ransomware rivals this year, becoming the most active ransomware group of 2025, and claiming more than 500 attacks in the last six months alone.

According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 991 victims since 2023, with many well-known names on the list.

On November 6th, the ransomware group hit the Switzerland-based international Habib Bank AG Zurich, allegedly comprising 2 million files, and just days earlier claimed the US pharmacy benefits manager MedImpact Healthcare Systems.

Known for using a ransomware-as-a-service (RaaS) business model, the group, which is said to actively recruit affiliates on Russian-language hacker forums, also avoids targeting Commonwealth of Independent States (CIS) countries, suggesting a Kremlin-aligned agenda.

The cybercriminal outfit often uses double extortion tactics, demanding a ransom for decryption, and then a second payout to guarantee the gang won’t leak the stolen files after the fact.

Qilin ransomware has recently allied with the notorious Russia-linked gang LockBit and DragonForce. Cooperation between the three groups could lead to improved tactics and an increased volume of attacks through the sharing of resources.

Making waves in October with attacks on Japan's largest beer producer, Asahi Holdings, Volkswagen Group France, California Golf Club of San Francisco (Cal Club), Israel's 4th largest hospital, Shamir Medical Center, on Yom Kippur.

Qilin also recently claimed attacks on Nissan Japan's design arm, Creative Box, and US pharmaceutical research conglomerate Inotiv.

According to a recent profile on the group by Comparitech, Qilin primarily targets manufacturers, finance companies, retailers, healthcare providers, and government agencies, as these sectors store sensitive information and can suffer the most from data breaches.

The research also showed a total of 116 TB of data exfiltratred across all attacks, impacting over 780,000 records in confirmed attacks.

When it comes to affected countries, Qilin has hit the US with the most attacks (375), followed by France (41), Canada (39), South Korea (33), and Spain (26).

Other past Qilin victims further include California PR firm Singer Associates, energy and manufacturing giant SK Group, US newspaper conglomerate Lee Enterprises, the Houston Symphony, Detroit’s PBS TV station, top North American auto parts suppliers Yanfeng in China, and the Utsunomiya cancer treatment center in Japan.