Beginning in August 2021, a ransomware attack targeted and caused a leak of data belonging to the Morley Companies and its clients. The organization that provides business services to Fortune 500 companies said the attack made their data ‘unavailable.’
The leak exposed sensitive information belonging to more than 500,000 people, including Social Security numbers. Morley Companies came under criticism and was questioned as to why the attack notification was sent out nearly six months after the leak and avoided specific mention of a ransomware attack.
Affected data involved current and former employees and clients, and included names, addresses, Social Security numbers, dates of birth, client identification numbers and diagnostic, treatment and other health information.
Regarding the announcement delay, Morley said it required six months to collect the ‘contact information needed to provide notice to potentially affected individuals.’ The company filed with Maine’s Office of the Attorney General and specified the number of victims was 521,046, and each received a detailed letter offering credit monitoring and identity theft protection services. A call center dedicated to handling the inquiries of those affected was set up.
The company mentioned unauthorized access to some files containing personal information and a ‘ransomware-type malware prevented access to some data files in the system starting August 1, 2021.’
Cerberus Sentinel’s Chris Clements believes that the hackers could have had access to data before the ransomware was activated. This could result in Morley and their customers being locked out of their own data. Although Morley is now more careful with customers’ data, the identity theft may have happened long before anyone realized it.
This unfortunate experience shows how unprepared even large organizations may be against cyberattacks, making enforcement of regulations and creation of a culture of compliance all the more necessary and urgent. While the exact cause of the Morley breach is still unknown, it is common knowledge that cybercriminals target companies with vulnerabilities in their data security systems and technology. Even though Morley Companies claim to know whose data was accessed, there is no way to know for sure that the 521,046 identified victims were the only ones targeted. Protection of data and immediate detection of breaches must be a priority for every company that deals with sensitive data.