Nonprofit People Inc. has notified nearly 1,000 of its current and former clients that personal information was exposed after email accounts of two employees had been breached.
The organizations said it discovered on February “that an unknown individual had gained access to an email account belonging to a People Inc. employee,” according to an alert. People Inc. “immediately reset the password required to access the impacted account,” the organization said, and immediately brought in an independent forensics firm to investigate.
“Through this investigation, People Inc. learned that an email account belonging to a second employee may have been impacted as well. That account is no longer operational.,” People Inc. said. “On April 11, 2019, as a result of this investigation, People Inc. learned that the two email accounts contained personal information belonging to some current and former clients.”
The nonprofit, the largest in western New York serving 12,000 people, has found no evidence of misuse of the information, which included Social Security numbers, medical and financial information, health insurance, names, driver’s license data and addresses.
“Email is one of the largest repositories of unstructured data within any organization. Between the messages themselves and the attachments contained within them, email provides a treasure trove of data for external attackers and malicious insiders alike,” said Adam Laub, senior vice president at STEALTHbits. “Technologies retention policies can help to reduce the amount of valuable data made readily available in a breach scenario, but proactive identification of where sensitive information exists within mailboxes can help organizations determine where the hotspots are and which users may need more advanced protections. Every business could benefit from this sort of analysis as it’s often an eye-opening experience on just how vulnerable they are.”