Dive Brief:
- A data breach at C.R. England compromised Social Security numbers of thousands of people, according to notices the company provided to several states last month.
- The trucking company discovered suspicious activity in its systems at the end of October. But it was not until late April that it concluded files with personal information had been illicitly accessed. It took C.R. England another month to send data breach notices to states and letters to affected people.
- C.R. England, which reported the breach to the FBI, has implemented additional security measures and contracted IDX to offer affected parties complimentary identity protection services for up to 2 years, according to a template of its data breach notification letters.
Dive Insight:
C.R. England's experience shows that identifying a breach, mitigating future risks and complying with cybersecurity laws can be a lengthy process.
How C.R. England responded to a data breach
Letters to affected people reveal a six-month journey for the trucking company.
-
October 30, 2021
C.R. England discovers unauthorized activity on its systems.
It immediately begins containment, mitigation and restoration efforts" to stop the activity and secure its network, systems, and data. The trucking company also retains "cybersecurity experts to conduct a forensic investigation" into the incident. -
April 20, 2022
C.R. England concludes certain files breached during the incident contain the personal information of thousands of people. The trucking company begins to collect the current addresses of affected people in order to notify them of the breach.
-
May 23, 2022
C.R. England begins sending letters to affected people.
The letters include the specific personal information that was compromised for the individual, an offer for the recipients to enroll in complimentary identity theft protection services by August 23, 2022, and details of C.R. England's response to the incident. -
May 24, 2022
C.R. England begins to report the incident to various states.
Many states in the U.S. have laws requiring companies to individually alert any person whose information was compromised as a result of a data breach.
In C.R. England's case, that number could be as high as 224,572 people, according to a Console & Associates blog post. The number includes the more than 900 people in Massachusetts and 19,000 in Texas that C.R. England confirmed were affected in notices filed with each individual state.
"We have no reason to believe that your information was published, shared, or misused," C.R. England said in its template letter to affected people. C.R. England declined to provide comment for this story, or clarify whether the affected people were employees or other parties.
Cyberattacks can prove a financial burden, too.
As a result of suspicious activity, C.R. England chose to retain cybersecurity experts to conduct an independent investigation into the incident. In addition, once the breach was found to have affected personal information like social security numbers, C.R. England turned to IDX, a data breach and identity recovery services firm.
IDX is maintaining a dedicated website on behalf of C.R. England to provide affected people information and services related to the incident. The services include "credit monitoring, dark web monitoring, $1 million identity theft reimbursement insurance, and fully managed at identity recovery services," according to the letter.
C.R. England also set up a call center for affected people, which is active for 12 hours a day on weekdays.
Data breaches and other cyberattacks have affected various trucking and logistics companies over the years. A 2019 malware attack at Roadrunner Transportation Systems cost the company $7 million in LTL revenue, for example. And in 2020, there were at least six high-profile cyberattacks on logistics firms.