Cross Resource Group Data Breach Exposes Social Security Numbers and Payroll Information

HR Technology data breach illustration
Breach Discovery: 19th May 2026Breach Notification: 26th June 2026

What Happened in the Cross Resource Group Data Breach?

Cross Resource Group, formally known as Cross Recruiting Inc., recently disclosed a data breach that exposed sensitive employee information. The company discovered the incident on or around May 19, 2026. As a result, it began notifying regulators and affected individuals about the exposure of personal data.

According to the company’s notification letter, the Cross Resource Group data breach happened when an employee accidentally sent certain personal information to an unauthorized recipient. This was not a hacking incident or a ransomware attack. Instead, it stemmed from human error during normal business operations. Because the disclosure went to someone outside the company, sensitive employee records ended up in the wrong hands.

Once Cross Resource Group discovered the mistake, it moved quickly to contain the situation. The company implemented security measures to limit any further exposure and reduce potential harm. In addition, Cross Resource Group notified the Massachusetts Office of Consumer Affairs and Business Regulation and the New Hampshire Attorney General, starting on June 26, 2026. These filings show that the company took steps to meet its legal obligations after the discovery.

Who was affected?

The Cross Resource Group data breach affects current and former employees of the company. Because Cross Resource Group operates as a staffing and recruiting firm, this incident likely touches individuals who worked with the company across different placements and time periods. As a result, both recent hires and people who left the company years ago could be impacted.

The exact number of affected individuals has not been publicly disclosed. However, the notification letters sent to regulators in Massachusetts and New Hampshire indicate that the breach reaches beyond a single state. This suggests the affected population may span multiple states where Cross Resource Group placed or employed workers. Since payroll and tax information were involved, this breach specifically affects people whose employment records were stored in the company’s systems.

What Information Was Potentially Exposed?

The information involved in this incident is highly sensitive because it relates directly to employment and financial identity. Cross Resource Group confirmed that several categories of personal data were part of the exposure.

  • First and last names
  • Home addresses
  • Payroll information
  • Social Security numbers
  • Employee tax information
  • Other identifying information

This combination of data is particularly concerning because it gives criminals nearly everything needed to commit identity theft. For example, a Social Security number paired with a full name and address can allow someone to open new credit accounts or file fraudulent tax returns. Because payroll and tax records were also exposed, affected individuals face an increased risk of tax-related fraud during filing season.

Beyond identity theft, this type of exposure can lead to long-term financial complications. Criminals may use stolen Social Security numbers to apply for loans, open bank accounts, or even seek employment under someone else’s identity. In addition, exposed addresses and names can make phishing attempts more convincing, since scammers can reference accurate personal details to build trust. Affected individuals should treat this exposure seriously, even though the breach resulted from an accidental disclosure rather than a targeted cyberattack.

What is the company doing?

After discovering the incident, Cross Resource Group acted to limit further exposure. The company stated that it immediately implemented security measures to contain the breach and reduce potential impact. This included reviewing how the information was disclosed and taking steps to prevent similar mistakes going forward.

In response to the breach, Cross Resource Group is offering affected individuals 24 months of complimentary credit monitoring through Cyberscout. This service includes single bureau credit monitoring, a single bureau credit report, and a single bureau credit score. Furthermore, the company has set up a dedicated help line, available Monday through Friday from 8 a.m. to 8 p.m. Eastern time, for 90 days from the date of the notification letter. This gives affected individuals a direct way to ask questions and get support.

What Should Affected Individuals Do?

Enroll in the Free Credit Monitoring

Affected individuals should sign up for the complimentary credit monitoring service offered by Cross Resource Group. Because enrollment must happen within 90 days of the notification letter, it’s important to act quickly rather than set the letter aside.

To enroll, individuals can visit the Cyberscout activation page and enter the unique code included in their letter. This monitoring can help detect unauthorized activity early, giving affected individuals a chance to respond before serious damage occurs.

Consider a Credit Freeze or Fraud Alert

Because Social Security numbers were exposed, affected individuals should strongly consider placing a fraud alert or credit freeze with the three major credit bureaus. A credit freeze restricts access to your credit report, which makes it much harder for identity thieves to open new accounts in your name.

A fraud alert, on the other hand, requires lenders to take extra steps to verify your identity before extending credit. Either option adds a meaningful layer of protection. Since this breach involved tax information as well, it may also be worth notifying the IRS or requesting an Identity Protection PIN to guard against fraudulent tax filings.

Monitor Financial and Tax Accounts Closely

Affected individuals should regularly review bank statements, credit card activity, and tax records for anything unusual. Because payroll and tax data were exposed, fraudulent tax filings are a real possibility, especially as tax season approaches.

If you notice any unfamiliar accounts, charges, or filings, report them immediately to your financial institution or the IRS. Acting quickly can limit the financial damage and make it easier to resolve fraudulent activity before it escalates.

Stay Alert for Phishing Attempts

Since scammers often use breached personal information to craft convincing phishing messages, affected individuals should be cautious of unexpected emails, texts, or phone calls. These messages may reference accurate details, like your name or address, to appear legitimate.

As a result, it’s wise to avoid clicking links or sharing additional information in response to unsolicited messages. Instead, verify any request by contacting the organization directly through a known, official channel.

Consult a Data Breach Attorney

Given the sensitive nature of the exposed data, affected individuals may want to speak with a data breach attorney to understand their legal options. An attorney can help evaluate whether you qualify for compensation related to this incident.

Many attorneys offer free consultations, so there’s little downside to exploring this option. This is especially worthwhile if you experience financial harm or spend significant time addressing the aftermath of the breach.



More Information

Cross Resource Group

Massachusetts Office of Consumer Affairs and Business Regulation

New Hampshire Attorney General

Cyberscout enrollment page

Related Data Breaches