M.C. Dean, Inc. Reports Data Breach After Unauthorized Party Had Access to the Company’s Computer System for Six Months

Console and Associates, P.C.
Contact

On September 14, 2022, M.C. Dean, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on M.C. Dean’s network. That same day, M.C. Dean also sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds. While the company’s data breach letter does not mention the types of information that were leaked as a result of the incident, based on state data breach reporting requirements, it is likely that the incident impacted consumers’ names as well as their Social Security numbers, financial account information or protected health information.

What We Know About the M.C. Dean Data Breach

According to an official notice filed by the company, on June 2, 2022, M.C. Dean detected suspicious activity within its computer network. In response, the company secured its systems, notified law enforcement, and then engaged a third-party cybersecurity firm to assist with the company’s investigation in hopes of determining what, if any, consumer information was leaked.

The company’s investigation confirmed that an unauthorized party had gained access to the M.C. Dean computer network on December 24, 2021, and that this access lasted until June 2, 2022, when the company discovered the intrusion. It was also revealed that the unauthorized party was able to access files that contained sensitive information pertaining to certain individuals.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, M.C. Dean then reviewed the affected files to determine what information was compromised and which consumers were impacted. The company completed its review of all affected files on August 10, 2022. While M.C. Dean did not provide details about the nature of the information that was compromised, Montana state law only requires companies to report a breach if certain information was involved, including consumers’ names and one or more of the following:

  • Social Security numbers,

  • Protected health information,

  • Driver’s license or state identification numbers, or

  • Financial account information.

On September 14, 2022, M.C. Dean sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Why Are Some Data Breaches Reported More Quickly than Others?

The M.C. Dean data breach was first discovered in June 2022; however, the company did not file an official notice of the breach or send out data breach letters to affected individuals until mid-September 2022. Assuming that M.C. Dean knew that consumer data may have been leaked, why did the company wait to inform those who were affected by the incident? Wouldn’t this delay increase the likelihood of identity theft or other frauds?

Certainly, the answer to the second question is “yes.” Hackers and other cybercriminals typically try to use any information they obtain through a data breach as soon as possible. This is because the information may become stale if a consumer cancels their credit cards, closes their bank accounts, or takes other steps to secure their information. Thus, by waiting to provide notice, a company gives hackers more time to use the data for criminal purposes. Why, then, would a company wait to notify those who were affected by a data breach? There are a few possible answers.

One possible explanation for a company waiting to notify consumers of a breach is that the company didn’t realize it had been hacked. Certainly, in the case of the M.C. Dean breach, it appears that the company did not discover that an unauthorized party had access to its computer system for more than five months. Of course, organizations with robust data security systems can often detect and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, a company’s failure to discover unauthorized access raises questions about its data security practices.

Another reason why a company may not immediately report a data breach is that it is cooperating with an ongoing investigation. In some situations, law enforcement agencies ask companies to wait to report a breach. This is so hackers are not alerted to the fact that the breach has been detected and is under investigation. By holding off on reporting the breach, the company gives law enforcement time to investigate the incident and, potentially, catch the hackers who conducted the attack.

Yet another reason why a company may not report a breach right after its discovery is that the company is in the process of reviewing the leaked data to see what type of information was exposed and who was affected. When a company learns of a data breach, it may not know what data was compromised until it completes a thorough investigation, which can take some time. Of course, companies can issue preliminary data breach notices to customers, providing what limited information they have at the time. Companies can also post notices on social media or on their website.

The fact that a company waits to file an official notice of a data breach doesn’t mean the company is being negligent of the risks the breach poses to consumers. It also doesn’t necessarily mean that the company is trying to sweep the incident under the rug. However, as a general practice, companies that learn of a data security incident should inform consumers as soon as possible, giving them time to protect themselves from the worst consequences of a breach.

Currently, it is not known how many people were affected by the M.C. Dean data breach. However, if you receive a data breach notification from M.C. Dean, it is safe to say that your information was among the leaked data. If you have done business with M.C. Dean and would like to see a copy of the September 14, 2022 data breach letter and learn more about your options following the breach, click here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Contact
more
less

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.