Thousands of Americans and over 700 Coloradans had their personal information accessed by cyber-attacks for almost a year before it was noticed — and it took those affected over nine months to learn of the data breach. But, the Colorado Attorney General’s Office announced yesterday that the company responsible will pay a sum in settlement and implement stricter security.
The personal information ranged from Social Security and passport numbers to usernames and emails, and was accessed through the email network of Impact MHC, a Colorado-based mobile home park management company. As a result of the breach, the company is implementing new safety measures and paying the attorney general’s office $25,000 as part of the settlement, and the office claims that over 15,000 nationwide were affected by the breach, including 719 Coloradans.
The Impact website states that it is one of the industry’s largest owner-operators of manufactured housing communities in North America and has properties across the country.
Impact failed to safeguard sensitive information allowing employees to send and maintain them in their accounts, according to a press release from the attorney general’s office. In 2018, criminals used phishing scams to access employee emails, including Social Security numbers and financial details.
The Impact website provided a notice of the incident in May of last year. The notice mentions that the company was unaware of any actual or attempted misuse. According to the Impact site, in July 2019, the company became aware of suspicious activity relating to an employee email account and immediately launched an investigation. Working with a computer forensic firm, the investigation determined that an unauthorized person accessed several employees’ emails during the month of July in 2020, but two other accounts had been accessed between October 2018 and July 2019.
What exactly was accessed, however, varied from individual to individual, according to the notice. It included basic information from Social Security numbers and dates of birth to medical information and credit or debit card numbers. Even a small number faced passport numbers being compromised.
The continued access to the sensitive data was partially due to the data being stored in email accounts containing “hundreds of thousands” of emails and because the company took so long to notify anyone affected, according to the assurance.
However, when Impact discovered the breach, it took 10 months to notice consumers in Colorado, according to the office’s release. Even though “Colorado law generally requires notice of a data breach no later than 30 days after the breach occurs.”
The company stated in the release that after a long and labor-intensive investigation they identified the personal information contained in the affected email accounts and contacted the individuals.
“Because Impact MHC was unable to determine which email messages in the accounts may have been viewed or acquired by the unauthorized actor, the entire contents of the impacted email accounts were reviewed to identify what personal information was accessible to the unauthorized actor(s),” the notice states.
In the official assurance of discontinuance, the “inadequate” data security practices of Impact allowed the personal information of Coloradans to be accessed for over nine months before it was detected.
“Now more than ever companies must remain vigilant in the digital world,” said Colorado Attorney General Phil Weiser in a statement.
State law requires companies to maintain sensitive personal information to take reasonable steps to protect the information. The AG’s Office includes a set of tips for businesses and an overview of security laws on its website.