On August 31, 2022, Platinum Performance reported a data breach with the Attorney General of Montana after the company was targeted in an email phishing attack. While the company did not publicly release the type of data that was leaked as a result of the recent data security incident, under state reporting guidelines, a company only needs to report a breach if it involved consumers’ Social Security numbers, financial account information, and driver’s license numbers or state identification numbers. Thus, while it cannot be confirmed, it is likely that the Platinum Performance breach involved one or more of these data types. After confirming the breach and identifying all affected parties, Platinum Performance began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Platinum Performance data breach, please see our recent piece on the topic here.
What We Know About the Platinum Performance Data Breach
The information about the Platinum Performance data breach comes from the company’s official filing with the Attorney General of Montana. Based on this source, on May 6, 2022, Platinum Performance discovered that an unauthorized party had gained access to two employee email accounts.
In response to learning of the compromised email accounts, Platinum Performance took the necessary steps to secure its computer systems, notified law enforcement, and stopped the unauthorized access. Platinum Performance also enlisted the assistance of third-party data security specialists to assist with the company’s investigation.
As a result of this investigation, the company confirmed that the period of unauthorized access began on or around September 8, 2021. Thus, it would appear that the unauthorized party had access to the compromised email accounts between September 8, 2021 and May 6, 2022. The investigation also revealed that the emails and attachments in the affected accounts contained sensitive consumer information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Platinum Performance began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the notice filed with the Montana Attorney General’s office does not provide the specific data types that were leaked, based on state reporting requirements, it is likely that the breach involved one or more of the following:
On August 31, 2022, Platinum Performance sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Platinum Performance
Founded in 1996, Platinum Performance is a manufacturer and retailer of pet nutritional supplements based in Buellton, California. The company develops and creates its own line of horse, dog and cat supplements, which it sells on its website. The company’s products are designed to promote healthy joints, digestive systems, and bones for all animals, including those that suffer from allergies. Platinum Performance employs more than 109 people and generates approximately $23 million in annual revenue.
Email Phishing Attacks Are the Most Common Way Hackers Access Employee Email Accounts
In the notice provided to victims of the recent data breach, Platinum Performance explains that the incident was the result of an unauthorized party gaining access to employee email accounts. In fact, the company went as far as to explain that the incident was due to a successful email phishing attack targeting the company’s employees.
While there are a few tricks hackers can use to obtain access to an employee’s email account, most email-based cyber attacks involve phishing. In this way, the Platinum Performance data breach is far from unique.
Phishing is a type of cyberattack where a hacker sends an employee of a company an email in hopes of getting the employee to provide them with access to their device or network. Of course, hackers disguise their attempts by sending phishing emails from a seemingly legitimate source. Indeed, phishing emails are designed and look official. And for the most part, hackers are very skilled at this, using the correct company logo and sending the email from a very similar domain name.
In the email, the hacker either tries to trick the employee into giving them the information needed to access the employee’s email account or hopes to convince the employee to click on a malicious link. The hacker does this by relying on principles of social engineering to make the employee believe as though they should do as the hacker asks without the need to confirm their decision. For example, the following are all common subjects of a phishing email:
The employee reached their email storage limit;
An email the employee sent was returned as undeliverable; or
There was an unauthorized login to the employee’s account, necessitating a password reset.
Most often, hackers either include a simple request for information (such as login credentials) or include a malicious link that, when clicked, takes the employee to a totally unrelated website that, again, appears to be legitimate. In some cases, hackers will attach malicious files to an email, asking the employee to download the file.
According to the Identity Theft Resource Center, a third of all cyberattacks in 2021 were phishing attacks, making them the single most common type of cyberattack. In part, this is because phishing attacks are among the easiest to carry out and have an incredibly high success rate. For example, according to a study from 2021, employees in the United States receive 14 malicious emails per year on average. However, employees in certain industries, such as retail workers, receive more than four times that number. Perhaps the most shocking statistic about phishing attacks is that 86% of companies reported having at least one employee click a phishing link in 2021.