Nonprofit People Inc. has notified nearly 1,000 of its current and
former clients that personal information was exposed after email accounts of
two employees had been breached.
The organizations said it discovered
on February “that an unknown individual had gained access to an email account
belonging to a People Inc. employee,” according to an alert.
People Inc. “immediately reset the password required to access the impacted
account,” the organization said, and immediately brought in an independent
forensics firm to investigate.
“Through this investigation, People
Inc. learned that an email account belonging to a second employee may have been
impacted as well. That account is no longer operational.,” People Inc.
said. “On April 11, 2019, as a result of this investigation, People Inc.
learned that the two email accounts contained personal information belonging to
some current and former clients.”
The nonprofit, the largest in western New York serving 12,000
people, has found no evidence of misuse of the information, which included Social
Security numbers, medical and financial information, health insurance, names,
driver’s license data and addresses.
“Email is one of the
largest repositories of unstructured data within any organization. Between the
messages themselves and the attachments contained within them, email provides a
treasure trove of data for external attackers and malicious insiders alike,”
said Adam Laub, senior vice president at STEALTHbits. “Technologies retention
policies can help to reduce the amount of valuable data made readily available
in a breach scenario, but proactive identification of where sensitive
information exists within mailboxes can help organizations determine where the
hotspots are and which users may need more advanced protections. Every business
could benefit from this sort of analysis as it’s often an eye-opening
experience on just how vulnerable they are.”
Gloss