Subject: Notification of Security Incident involving Personal Data

Dear (former) employee or candidate,

Yource Bulgaria and Yource Greece (“YBU”) are publishing this notice to inform former employees and candidates of a recent IT security incident.

What happened

Around 18 December 2025, YBU identified unauthorized access to one of its IT systems. Our investigation is ongoing. While we cannot confirm that personal data has been misused, we currently have indications that employee-related data may have been accessed and/or obtained without authorization.

What information may have been involved

Depending on your individual situation, the incident may have involved access to personal data typically processed in an employment or recruitment context, including for example:

Identification and contact details (such as name, address, email address, telephone number)

Employment or application-related information (such as contracts, job titles, personnel or recruitment files, salary or performance-related data)

Administrative HR data relating to payroll, benefits, leave, or taxation

Other information contained in HR or personnel records, or shared through emails or stored personally (which could include a copy ID)

At this stage, we cannot determine whether your specific data was accessed or obtained.

What you can do

As a precaution, we recommend that you:

remain alert to suspicious emails, messages, or requests for personal information;

change any passwords that were previously used on YBU corporate laptops or to access YBU systems, and ensure these passwords are not reused elsewhere;

report any suspicious activity you believe may be related to this incident

What we are doing

We have taken additional technical and organizational measures to strengthen our security. Where required, the incident has been reported to the relevant supervisory authority.

Contact

If you have questions or concerns about this incident, you may contact the Data Protection Officer of YBU:

Mrs. Zdravka Bacheva
[email protected]