DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Double whammy: Avention investigating two data breaches involving employee info

Posted on May 13, 2016 by Dissent

Massachusetts-based Avention, formerly known as OneSource Solutions, is investigating two recent data breaches that may, or may not, be the work of the same criminal(s).

In a letter to the New Hampshire Attorney General’s Office, their external counsel provides a chronology of events, beginning with reports by some employees on April 19 that their tax returns had been rejected because returns had already been filed in their names. Avention promptly launched an investigation, started scanning its internal systems, and contacted all its vendors.

On April 28, Avention learned that an employee’s login credentials to their human resource information system (HRIS) vendor had been used to download all employees’ I-9 forms on March 31.  I-9 forms are provided by the United States Citizenship and Immigration Services and are used by employers to verify employment eligibility. Completed forms  include the employees’  names, addresses, and Social Security numbers, and may also include passport numbers, driver’s license numbers, birth certificates, and/or other government-issued identification numbers.

Of note, it would appear that the unnamed HRIS vendor did not detect the misuse of the login credentials until they were asked to investigate.

Avention confirmed with the employee whose login credentials had been used that s/he had not downloaded the I-9 forms, and then contacted external counsel and federal law enforcement. They also retained a cybersecurity firm to investigate.

If April 28 was bad, the next day would be no better. On April 29, Avention learned that on April 5, an employee had fallen for a phishing scam and had emailed all employees’ W-2 statements to an unauthorized individual.  W-2 statements include names, addresses, Social Security numbers, wages, and taxes withheld in 2015.

It appears that the employee who fell for the phishing scam is not the same employee whose login credentials were misused to access the I-9 forms, but DataBreaches.net is attempting to confirm that.

It would also appear that like the I-9 breach, the W-2 breach had also gone undetected until Avention began investigating the employees’ reports of problems with their returns.

Avention, whose LinkedIn profile indicates 201-500 employees, notified its employees on April 29 in a town hall meeting, and then followed up with email notification to current and former employees on May 4. Letters with an offer of three years of credit monitoring for those affected began going out this past week.

Avention has offices across North America, Europe and APAC.

DataBreaches.net contacted Avention’s media representative as to how many employees, total, were impacted by these breaches, but did not receive an immediate response. This post will be updated as more information becomes available.

Update: Post-publication, Avention submitted a statement that did not address any of the questions DataBreaches.net had put to them:

Avention recently learned that we suffered a security incident, which resulted in unauthorized access to certain employee information, including Social Security numbers, by an unknown source.  As soon as Avention discovered this crime, we immediately launched an investigation, hired a leading cybersecurity firm, and contacted federal law enforcement.   

Avention takes this attack on our personnel extremely seriously. We notified affected individuals of the incident so that they can protect themselves and are providing three free years of identity theft protection services, including insurance for losses and credit monitoring.

Avention is continuing to investigate this matter, and we are also conducting a thorough review of our security measures, internal controls, and safeguards in an effort to help prevent a similar incident in the future.  The security of employees’ information is a top priority, and we continue to take all appropriate and necessary steps needed to address the situation.  

This security issue is internal only and did not impact our customers.  Our products, services, and commercial services were also not effected. That being said, we are vigilantly monitoring all our data sources to protect against future attacks.

DataBreaches.net has sent a response  to Avention to see if they will answer the substantive questions put to them.

Update: Well, no, they won’t, it seems. They responded:

Avention cannot respond to some of the questions but wanted to ensure you
had some additional information. What they are most concerned about right
now is making sure they protect those who have been affected.

Category: Breach IncidentsBusiness SectorID TheftOf NoteOtherPhishingU.S.

Post navigation

← GA: Former IRS Revenue Agent Pleads Guilty to Aggravated Identity Theft of Taxpayer Information
Southern Michigan Bank & Trust notifies customers of stolen laptop →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques
  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report