On August 8, 2022, eCapital Corp. reported a data breach with the office of the Attorney General of Massachusetts after the company detected unauthorized access within its computer network. According to the eCapital, the breach resulted in the names, Social Security numbers, driver’s license numbers and passport numbers of certain individuals being compromised. After confirming the breach and identifying all affected parties, eCapital Corporation began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the eCapital Corporation data breach, please see our recent piece on the topic here.
What We Know About the eCapital Corporation Data Breach
The information about the eCapital Corp. data breach comes from an official filing with the Attorney General of Massachusetts. According to the most current information, on July 22, 2021, eCapital Corp. learned that an unauthorized party had gained access to its IT system. In response, the company took the necessary steps to secure its network, modified its existing data security protocol, and began working with an outside cybersecurity consulting firm to investigate the incident.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, eCapital Corporation began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your Social Security number, driver’s license number, and passport number.
On August 8, 2022, eCapital Corporation sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About eCapital Corp.
Founded in 2006, eCapital Corp. is a credit card processing and business services company based in Aventura, Florida. eCapital Corp. works with other companies in the trucking, staffing, manufacturing, service, apparel, wholesale and food & beverage industries, helping them gain access to capital. Some of the services eCapital Corp. provides include freight factoring, invoice factoring, payroll funding, asset-based lending, equipment financing, and lines of credit. eCapital Corporation employs more than 335 people and generates approximately $183 million in annual revenue.
Why Did eCapital Wait So Long to Announce the Data Breach?
The eCapital Corporation data breach was first discovered in July 2021; however, the company did not release its “Notice of Data Breach” letter to affected individuals until August 2022—more than a full year after the incident. If eCapital knew that consumer data may have been leaked more than nine months ago, why did the company wait to inform consumers? Wouldn’t this delay increase the likelihood of identity theft or other frauds?
The answer to this question is undoubtedly “yes.” Hackers and other cybercriminals try to use the information they obtain through a data breach as soon as possible. This is because the information may become stale if they wait too long. For example, a consumer might cancel their credit cards, close their bank accounts, or sign up for fraud protection services, making it harder for criminals to steal their identity.
Thus, by waiting to provide notice, a company gives hackers ample time to use the data for criminal purposes. So why would a company wait to notify those who were affected by a data breach? There are a few possible reasons for a company’s delay in issuing data breach notification letters.
One possible reason is that the company didn’t realize it had been hacked. Of course, organizations with robust data security systems should be able to detect and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, this is rarely a sufficient explanation—at least from a consumer’s perspective.
Another reason why a company may not report a data breach right away is that the company is cooperating with an ongoing law enforcement investigation. Law enforcement agencies sometimes ask companies not to report a breach immediately because doing so alerts hackers that the breach has been detected and an investigation is underway. This could interfere with law enforcement’s ability to determine who orchestrated the attack and may decrease the chances of bringing the parties to justice.
Yet another reason why a company may not report a breach right after its discovery is that the company is in the process of reviewing the leaked data to see what type of information was exposed and who was affected. When a company learns of a data breach, it usually needs to review all the compromised files, which can be a lengthy process. Of course, companies can issue preliminary data breach notices to customers, providing what limited information they have at the time.
The fact that eCapital Corporation waited to file official notice of a data breach doesn’t mean the company was being negligent. It also doesn’t necessarily mean that the company was trying to sweep the incident under the rug. However, as a general practice, companies that learn of a data security incident should inform consumers as soon as possible, giving them time to protect themselves from the worst consequences of a breach.