Recently, the mall retailer Spencer Gifts, LLC, announced a data breach stemming from what the company explained was a “data security incident.” According to a Spencer Gifts news release, on November 25, 2021, the company detected a security incident that impacted the availability and functionality of the corporate network. Through a subsequent investigation, Spencer Gifts learned that an unauthorized party gained access to the company’s network for the two-day period between November 24 and November 26, 2021. The portion of the network that was accessible to the unauthorized party contained data related to the company’s employee health plan. Thus, as a result of the breach, the names, Social Security numbers, health plan information, and financial account information used to make direct deposits of more than 10,000 individuals were compromised.
Data breaches such as this one can occur in several different ways. Often, they are often the result of a hacker breaching an organization’s network systems with the intent of accessing sensitive consumer information. While there is no telling why Spencer Gifts was the target of this recent cyberattack, cybercriminals frequently target companies that have vulnerabilities in their data-security technology.
Once a hacker gains access to a company’s computer networks, they can often remove any information contained on the networks. However, companies may not know which parties’ information was accessed and whether the hacker retained any of their data. All a company can tell consumers is that their information was accessible. Regardless, those whose information is compromised in a data breach are much more likely to experience identity theft or fall victim to other serious crimes. Given these risks, it is important for anyone who received a data breach letter from Spencer Gifts, LLC to protect themselves from the risk of identity theft.
Those who received a data breach letter from Spencer Gifts, LLC should be aware of the risks and take the steps necessary to limit another’s ability to assume their identity. While the fact that someone’s information is compromised doesn’t necessarily mean the unauthorized party will use it for criminal purposes, it is fairly common. This is especially the case in recent years. In fact, since the beginning of the COVID-19 pandemic, the rate of identity theft crimes has increased significantly. In many situations, criminal actors get the data they need to commit these crimes through a data breach such as this one.
Companies like Spencer Gifts, LLC have a duty to protect consumer data. If evidence emerges that Spencer Gifts mishandled your sensitive information leading up to the breach, you may be eligible for financial compensation through a data breach lawsuit.
Are Consumers Impacted by the Spencer Gifts Data Breach Entitled to Financial Compensation?
As a current or former employee of Spencer Gifts, you provided the company with your personal information, and you trusted it to keep your information secure. Certainly, anyone in your position would assume that the company would take whatever precautions were necessary to prevent unauthorized parties from accessing sensitive employee data. However, news of this data breach raises some very real questions about the adequacy of the company’s data security measures.
All employers have an ethical and legal obligation to ensure sensitive employee information remains private. And while developing and maintaining an effective data security system can be a burden, it is also a necessary cost of doing business in an environment where the threat of cyberattacks is ever-present.
The data breach laws of the United States allow employees to sue their employers for the misuse or negligent handling of their data. However, these laws are complex, and news of this data breach is very recent. Thus, at the current moment, there is not yet any evidence to show that Spencer Gifts bears responsibility for the cyberattack. However, that may change, as our data breach lawyers are looking into the breach to determine what legal remedies employees of Spencer Gifts, LLC may have against the company.
If you have questions about your ability to bring a data breach class action lawsuit against Spencer Gifts, LLC, you should contact a data breach attorney as soon as possible.
What to Do if You Received a Data Breach Notification from Spencer Gifts, LLC
If Spencer Gifts sent you a data breach letter, you were among those whose personal data was accessible in the recent data breach. This means that a total stranger—very likely a criminal—might have accessed, viewed, and retained your sensitive personal information. While no one can know why a hacker would want your information or what they might do with it, criminal intent cannot be ruled out. Given this reality, it is essential you remain vigilant to protect yourself from the heightened risk of identity theft by taking the following steps:
- Carefully read the data breach letter sent by Spencer Gifts, LLC to determine what information was accessible;
- Make a copy of the letter for your records;
- Enroll in the free credit monitoring service provided by Spencer Gifts, LLC;
- Change all your online passwords and security questions;
- Enable two-factor or multi-factor authentication, where it is available;
- Regularly review your credit card and bank account statements for any signs of suspicious activity;
- Monitor your credit report for any unexpected changes that may be a sign of identity theft;
- Contact one of the major credit bureaus to request they add a fraud alert to your profile; and
- Notify your banks and credit card companies of the data breach.
About Spencer Gifts, LLC
Founded in Easton, Pennsylvania, in 1947, Spencer Gifts, LLC is a mall retailer with more than 650 stores across the United States. Spencer Gifts sells a range of novelty and gag gifts, as well as clothing, décor, collectible figurines, and jewelry. Spencer Gifts’ target demographic is young adults between the ages of 18 to 24. Spencer Gifts, LLC also owns the Halloween pop-up store Spirit Halloween, which sells costumes, décor, and other seasonal items.
The Details of the Spencer Gifts, LLC Consumer Data Breach
According to the most recent data breach letter issued by Spencer Gifts, LLC, on November 25, 2021, 2021, the company noticed issues with the “availability and functionality” of its computer network. While Spencer Gifts did not elaborate on the nature or cause of the cyberattack, the company revealed that through a subsequent investigation, it discovered that an unauthorized party gained access to the company’s network between November 24 and November 26, 2021. It was later determined that the compromised files housed data related to the company’s employee health plan and contained the full names, Social Security numbers, health plan information, and financial account information of 10,024 individuals who are or were employed by Spencer Gifts.
Around January 24, 2021, Spencer Gifts, LLC began sending out written notice of the breach to all affected parties, describing what occurred and informing employees on what they could do to protect themselves. While Spencer Gifts has no knowledge that any of the compromised data was used by the unauthorized party, the company encouraged those who received a data breach letter to keep a lookout for signs of identity theft and fraud by closely monitoring their online accounts and credit reports.
Below is a copy of the initial data breach letter issued by Spencer Gifts, LLC (a sample copy of the actual notice sent to consumers can be found here):
Spencer Gifts LLC recognizes the importance of protecting the personal information we maintain. We are writing to let you know of a data security incident that involved some of your information. This notice explains the incident, measures we have taken, and some additional steps you may consider taking in response.
On November 25, 2021, we detected a security incident which impacted the availability and functionality of our corporate network. Upon discovering the incident, we immediately took measures to contain the incident, notified law enforcement, and began an investigation. Through our investigation, we determined that an unauthorized actor accessed our network between November 24, 2021 and November 26, 2021, and may have accessed certain files contained on our servers. We reviewed those files and identified documents relating to payroll and enrollment in our employee health plan, which contain your name, Social Security number, health plan selection, and financial account number used for direct deposit.
We deeply regret any inconvenience or concern this incident may cause you, and we want you to know we take this matter very seriously. As a precaution, we arranged for you to receive a complimentary one-year membership in Experian® IdentityWorksSM. This product helps detect possible misuse of your information and provides you with identity protection support focused on immediate identification and resolution of identity theft. IdentityWorks is free and enrolling in this program will not affect your credit score. For instructions on how to activate your complimentary one-year membership and steps you can take to protect your information, please see the pages that follow this letter.
To help prevent a similar event in the future, we are continuing to review and enhance our existing security protocols and practices, including implementation of additional electronic security features. If you have any questions about the incident, please call 1-???-???-????, Monday through Friday, from 9:00 a.m. to 6:30 p.m., Eastern Time (excluding some U.S. holidays). For assistance enrolling in the complimentary credit monitoring program, please contact Experian’s customer care team at 1-877-890-9332.