eCommerce payment processor EasyDraft is notifying Bright Horizons Family Solutions customers of a breach that started in October 2012 with a misconfigured server. The breach wasn’t discovered until January 2014, however, when Bright Horizons contacted EasyDraft to alert them to the problem.
In their report to the New Hampshire Attorney General’s Office, lawyers for EasyDraft write:
We write to inform you of a recent data security incident on behalf of our client, MilCo Enterprises, Inc., d/b/a EasyDraft (“EasyDraft”). In January, 2014, EasyDraft learned that a website, intended to be accessible only within a secured VPN and hosting files containing certain personal banking information, was publically (sic) available between October, 2012, and January, 2014. Upon learning of the incident on January 8, 2014, EasyDraft promptly shut down the website and took immediate steps to investigate the information that may have been accessed and the extent of any possible compromise of consumer information. Based on this investigation, EasyDraft has reason to believe that the following information was publicly available: 1) first and last name; 2) bank routing number; and 3) bank account number.
Consumers were sent notification letters this week that began:
MilCo Enterprises, Inc., doing business as EasyDraft (“EasyDraft” or “us” or “we”), is an ACH processing vendor of Bright Horizons Family Solutions (“Bright Horizons”). You are receiving this notification because you are a current or former customer of Bright Horizons, and we have recently discovered that the following personal information may have been compromised: first name, last name, bank account number, and bank routing number.
Bright Horizons has locations in numerous states and the notification does not report the total number of individuals affected by this breach, although it does indicate that no other EasyDraft clients were affected by it. Affected Bright Horizons customers have been offered free services with Kroll.
You can read the notifications here (pdf). So far, we know of 30 residents in New Hampshire and 492 in Maryland that have been notified.