Seen on their web site:
The Sewell Family of Companies has concluded an investigation into a data security incident that occurred August 1, 2020, when officials learned of an unauthorized attempt to access its network. At the time, SFC followed its protocol and immediately shut down its network to prevent further harm. SFC launched an investigation, notified the Federal Bureau of Investigation, and engaged computer forensic specialists to assist its internal team on this effort.
Although SFC found no evidence that information stored on its network has been misused, it is possible that the personal information of a portion of its community could have been exposed to individuals not authorized to view it.
This investigation was meticulous and today, March 17th, 2021, was the soonest SFC was in position to provide the facts and ensure resources were in place to protect members of its community.
The Sewell Family of Companies mailed letters on March 17 to a small number of its customers, employees, and others who may have done business with SFC, and offered these individuals at least 12 months of credit monitoring services.
The vast majority of SFC employees and customers are not impacted, though we appreciate this is of little solace to those who do receive a letter. We apologize for any inconvenience this may cause.
There is no evidence that fraud has occurred as a result of this incident. That said, employees and customers are encouraged to utilize these services to protect against fraudulent use of their personal information and remain vigilant against incidents of identity theft and fraud.
Sewell has established a call center to answer questions for those who receive letters. The number is (833) 416-0855.Additionally, SFC has implemented a series of containment and remediation measures to address the incident, as well as strategies to defend the security of its network.
We are confident we are stronger and better following this experience.
So what kinds of data were involved? The notice doesn’t seem to explain that. And why couldn’t their investigation and work have been completed much sooner? Were there millions of email accounts to go through? What took so long? Why so long from incident to notification?