People Inc. is Western New York’s largest nonprofit, serving more than 12,000 individuals. Nearly 1,000 current and former clients of People Inc. have been notified of a security breach that may have exposed their personal identification information as well as personal health information. The nonprofit agency, which serves both older adults and individuals with developmental and intellectual disabilities, first discovered in mid-February that an unknown individual had gained access to an email account belonging to a People Inc. employee. An investigation followed by an independent forensic investigation firm, along with notifications to the Federal Bureau of Investigations and the Health and Human Services Office for Civil Rights’ breach portal.
Commenting on the story is Jonathan Deveaux, head of enterprise data protection at comforte AG:
“If there are companies that still think they are not targets of cybercrime, let this story be proof. Even Non-profit companies may be subject to cyberattacks. It’s about the data. Hackers and attackers don’t care what kind of business you run; they only care about the data you have. Many past news headlines have been about credit card numbers stolen during data breaches, but what’s trending up lately, is unauthorized access to personal identification information (PII).
In the case at People Inc, personal Information such as Social Security numbers, driver’s licenses, health info, and financial data seemed to be the target, as an unauthorized wire transfer was attempted. Bad actors can do more bad things with PII than they can with stolen credit card numbers.
Companies who lose their customers’ PII can cause a huge impact on the individuals whose data they lost.
“Credit cards can be replaced; identities cannot.”
You only get one social security number, so if it falls into the wrong hands, people can be impacted for years.
Cybersecurity training helps raise awareness with people who have access to sensitive and personal data, as it is common knowledge that people are the weakest link in the cybersecurity chain.
Additionally, companies can look to deploy data security technology to help minimize the risk of data exposure. Pseudonymization and Anonymization are highly effective methods companies can use through technologies such as tokenization or encryption. And, as a by-product, both help companies address Data Privacy requirements, which are coming in force to the US, state by state, very soon.”