Massachusetts-based Avention, formerly known as OneSource Solutions, is investigating two recent data breaches that may, or may not, be the work of the same criminal(s).
In a letter to the New Hampshire Attorney General’s Office, their external counsel provides a chronology of events, beginning with reports by some employees on April 19 that their tax returns had been rejected because returns had already been filed in their names. Avention promptly launched an investigation, started scanning its internal systems, and contacted all its vendors.
On April 28, Avention learned that an employee’s login credentials to their human resource information system (HRIS) vendor had been used to download all employees’ I-9 forms on March 31. I-9 forms are provided by the United States Citizenship and Immigration Services and are used by employers to verify employment eligibility. Completed forms include the employees’ names, addresses, and Social Security numbers, and may also include passport numbers, driver’s license numbers, birth certificates, and/or other government-issued identification numbers.
Of note, it would appear that the unnamed HRIS vendor did not detect the misuse of the login credentials until they were asked to investigate.
Avention confirmed with the employee whose login credentials had been used that s/he had not downloaded the I-9 forms, and then contacted external counsel and federal law enforcement. They also retained a cybersecurity firm to investigate.
If April 28 was bad, the next day would be no better. On April 29, Avention learned that on April 5, an employee had fallen for a phishing scam and had emailed all employees’ W-2 statements to an unauthorized individual. W-2 statements include names, addresses, Social Security numbers, wages, and taxes withheld in 2015.
It appears that the employee who fell for the phishing scam is not the same employee whose login credentials were misused to access the I-9 forms, but DataBreaches.net is attempting to confirm that.
It would also appear that like the I-9 breach, the W-2 breach had also gone undetected until Avention began investigating the employees’ reports of problems with their returns.
Avention, whose LinkedIn profile indicates 201-500 employees, notified its employees on April 29 in a town hall meeting, and then followed up with email notification to current and former employees on May 4. Letters with an offer of three years of credit monitoring for those affected began going out this past week.
Avention has offices across North America, Europe and APAC.
DataBreaches.net contacted Avention’s media representative as to how many employees, total, were impacted by these breaches, but did not receive an immediate response. This post will be updated as more information becomes available.
Update: Post-publication, Avention submitted a statement that did not address any of the questions DataBreaches.net had put to them:
Avention recently learned that we suffered a security incident, which resulted in unauthorized access to certain employee information, including Social Security numbers, by an unknown source. As soon as Avention discovered this crime, we immediately launched an investigation, hired a leading cybersecurity firm, and contacted federal law enforcement.
Avention takes this attack on our personnel extremely seriously. We notified affected individuals of the incident so that they can protect themselves and are providing three free years of identity theft protection services, including insurance for losses and credit monitoring.
Avention is continuing to investigate this matter, and we are also conducting a thorough review of our security measures, internal controls, and safeguards in an effort to help prevent a similar incident in the future. The security of employees’ information is a top priority, and we continue to take all appropriate and necessary steps needed to address the situation.
This security issue is internal only and did not impact our customers. Our products, services, and commercial services were also not effected. That being said, we are vigilantly monitoring all our data sources to protect against future attacks.
DataBreaches.net has sent a response to Avention to see if they will answer the substantive questions put to them.
Update: Well, no, they won’t, it seems. They responded:
Avention cannot respond to some of the questions but wanted to ensure you
had some additional information. What they are most concerned about right
now is making sure they protect those who have been affected.