On July 29, 2022, Community Surgical Supply Inc. (“CSS”) reported a data breach after the company discovered that some of its files had been encrypted and were accessible to the unauthorized party that orchestrated the cyberattack. According to the CSS, the breach resulted in the names, addresses, driver’s license numbers, government identification numbers, passport numbers, Social Security numbers, and dates of birth of 66,115 individuals being compromised. After confirming the breach and identifying all affected parties, Community Surgical Supply began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Community Surgical Supply data breach, please see our recent piece on the topic here.
What We Know About the Community Surgical Supply Data Breach
The information about the Community Surgical Supply Inc. data breach comes from an official notice the company filed with various state government entities. Evidently, on October 5, 2021, Community Surgical Supply first learned of the incident when employees noticed that certain company files were encrypted. In response, CSS took the necessary steps to secure its network and then worked with cybersecurity professionals to investigate the incident. On July 1, 2022, the company’s investigation confirmed that an unauthorized party was able to access portions of the Community Surgical Supply network and that the compromised files contained sensitive consumer information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Community Surgical Supply began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your first and last name, address, driver’s license number, government identification number, passport number, Social Security number, and date of birth.
On July 29, 2022, Community Surgical Supply sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. Based on the most recent estimates, the CSS data breach affected 66,155 individuals.
More Information About Community Surgical Supply Inc.
Founded in 1962, Community Surgical Supply Inc. is a medical supply manufacturing company and retailer based in Toms River, New Jersey. The company supplies specialized healthcare products to patients, nurses, dieticians and respiratory therapists, including respiratory, enteral nutrition, sleep and infusion therapy products and services. Community Surgical Supply employs more than 775 people and generates approximately $226 million in annual revenue.
Was the Community Surgical Supply Breach Caused by a Ransomware Attack?
In the data breach letter Community Surgical Supply Inc. sent to victims of the recent data security incident, the company mentioned that it first learned it was the victim of a cyberattack when it noticed certain files on its network had been encrypted. Encryption is common in the IT world, and while encryption is frequently used for a wide range of legal purposes, it is also the weapon of choice among hackers.
Encryption is a process that encodes files, making them inaccessible to anyone without an encryption key. Individuals and companies encrypt files every day to protect sensitive data. However, cyberattacks also use encryption when orchestrating a ransomware attack. So, while CSS did not explicitly say that the company was the victim of a ransomware attack, based on its data breach letter, it’s a good indication that was the case.
A ransomware attack is when a hacker installs a specific kind of malware on a victim’s computer that encrypts some of all of the files on the device. When the victim logs back on, they will see a message from the hackers demanding the victim pay a ransom if they want to regain access to their computer. If the victim pays the ransom, the hackers decrypt the files—or at least they are supposed to. Generally, hackers honor their commitment to decrypt files after a ransom is paid because, if they didn’t, there would be no incentive for any company to pay a ransom.
However, to compel companies that may be on the fence about paying a ransom, some hackers have started to threaten to publish the stolen data if the company does not pay the ransom. However, the FBI advises companies not to pay ransoms following a ransomware attack because doing so keeps these attacks profitable. This is similar to the line of reasoning why the government doesn’t negotiate with terrorists. Of course, companies that experience a ransomware attack are in a difficult position because they would undoubtedly prefer to quietly pay a ransom to avoid news of the breach becoming public.
However, companies can—and should—take preventative steps to avoid becoming the target of a ransomware attack rather than trying to mitigate the damages of an attack after-the-fact. Still, despite the widespread knowledge of the risks of ransomware attacks, many companies fail to devote adequate resources to their data security systems.