On August 16, 2022, Service By Medallion, Inc. (“SBM”) reported a data breach after an unauthorized party gained access to an employee's email account. According to the SBM, the breach resulted in the names and Social Security numbers of certain individuals being compromised. After confirming the breach and identifying all affected parties, Service By Medallion began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Service By Medallion data breach, please see our recent piece on the topic here.
What We Know About the Service By Medallion Data Breach
The information about the Service By Medallion, Inc. data breach comes from an official company filing with the Attorney General of California. According to the most recently available information, on January 5, 2022, Service By Medallion first detected unusual activity within an employee’s email account. In response, SBM secured its servers and began an investigation into the incident in hopes of learning more about its causes as well as whether any consumer data was exposed as a result.
The company’s investigation confirmed that an unauthorized party gained access to the affected employee's email account on August 21, 2021, and that this unauthorized access lasted until January 16, 2022, shortly after the company detected the intrusion. Through its investigation, Service By Medallion also learned that the compromised email account may contain sensitive consumer information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Service By Medallion began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your name and Social Security number.
On August 16, 2022, Service By Medallion sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Service By Medallion, Inc.
Founded in 1978, Service By Medallion, Inc. is a facility maintenance and janitorial services company based in Mountain View, California. Aside from janitorial and maintenance services, the company also provides a range of other services to its clients, including consulting & project management, temporary staffing, workplace repairs and maintenance, and construction support. Service By Medallion employs more than 209 people and generates approximately $122 million in annual revenue.
Was the Service By Medallion Breach Due to an Email Phishing Attack?
In its letter to victims of the breach, Service By Medallion provided some details regarding the recent breach. For example, the company explained that the incident resulted from an unauthorized actor gaining access to an employee email account, which led to the names and Social Security numbers of certain being compromised. However, SBM did not explain how the unauthorized party got access to the email account. While it hasn’t been confirmed, it is possible that the breach started with a phishing email.
Phishing attacks are the most common type of cyberattack. According to the Identity Theft Resource Center (“ITRC”), there were over 320 phishing attacks in 2021 alone, making up about a third of all cyberattacks that year. Another report from 2021 indicates that U.S workers receive an average of 14 malicious emails per year. And some workers, such as those in the retail industry, receive an average of 49 malicious emails per year.
While it may seem as though it would be easy to detect a fraudulent email, that is not the case. These attacks are well-designed and appear to come from trusted sources. In fact, 86% of companies had at least one employee who clicked a phishing link in 2021.
Phishing attacks involve a hacker sending a seemingly legitimate email to an employee of an organization in hopes of getting the employee to provide the hacker with information. Most often, hackers seek login credentials or other data that can be used to access the organization’s IT network. To accomplish this, hackers rely on principles of social engineering to trick an employee into giving them the information they are looking for.
While a company is also a victim of a phishing attack, the real harm of a data breach affects those whose information is stolen and subsequently used for fraudulent purposes. For example, the data hackers obtain through an email phishing campaign can be used to commit fraud or identity theft against the individuals whose information they obtain.
Given the frequency with which these attacks occur, businesses are aware of the threat phishing attacks pose. Thus, it is essential that they take the appropriate steps to educate employees about phishing risks and the steps they can take to prevent a successful attack.