DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

MA: Payment Processor to Pay $155,000 Over Data Breach Affecting Thousands of Massachusetts Residents

Posted on December 20, 2018 by Dissent

Massachusetts Attorney General had a busy day yesterday announcing enforcement actions over data breaches that had been disclosed in 2015. In addition to her announcement about the McLean Hospital settlement, she also announced a second settlement stemming from another 2015 breach that had also been reported by DataBreaches.net at the time.

A California company that processes payments for rental and vacation properties will pay $155,000 to resolve allegations that it violated consumer protection and data security laws by exposing the personal information of 6,800 Massachusetts residents online, Attorney General Maura Healey announced today. 


In the assurance of discontinuance, filed in Suffolk Superior Court, Yapstone Holdings Inc. has also agreed to comply with state laws and implement policies to improve the security of its systems and protect sensitive consumer data online.


“This company broke the law by failing to take immediate action when consumers’ personal information was at risk,” said AG Healey. “Through our settlement, Yapstone will pay a penalty and take significant steps to safeguard the personal information of customers


The AG’s Office began its investigation after Yapstone notified the office of the incident in 2015. The investigation revealed that in July 2014, while modifying Yapstone’s website, the company’s engineers accidentally removed password protections from public-facing websites used to sign users up for Yapstone’s service. These websites stored consumers’ personal information, such as bank account and social security numbers, addresses, and driver’s license numbers. The mistake rendered the webpages publicly viewable to anyone on the internet for more than a year. The investigation found that Yapstone employees appeared to have been aware of the vulnerability in August 2014 but neglected to fix it until August 2015, when another employee discovered it. 


The settlement requires Yapstone to maintain a chief information security officer, train employees on data security, and assess and update information security policies relating to changes to its systems and to external vulnerabilities. 


The AG’s Office enforces the Massachusetts Data Security Regulations, which require businesses and organizations to develop, implement, and maintain a written information security program and protect the personal information of Massachusetts consumers. 


If you believe that you have been the victim of a data breach, you will need to take additional steps to protect your credit and your personal information. For additional information, consumers may contact the Attorney General’s consumer hotline at (617) 727-8400. Guidance for businesses on data breaches can be found here.


This matter was handled by Assistant Attorneys General Jared Rinehimer and Michael Lecaroz and Director of Data Privacy and Security Sara Cable, all of the AG’s Consumer Protection Division. 

Category: Business SectorExposureOf NoteU.S.

Post navigation

← MA: McLean Hospital to Implement New Security and Training Programs After Data Breach Exposed Sensitive Health Information
DrBenLynch.com notifies customers of payment card compromise →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • Ireland’s Data Protection Commission publishes 2024 Annual Report
  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.