A Malicious Email Attachment Leads to Lawsuits

The Premium Mortgage Company, located in Rochester, New York, with additional branches in New York and Florida, experienced a data breach in the last week of August 2023. The company detected suspicious activity on August 31, leading to an investigation by an external cybersecurity firm, which concluded in November. It’s findings, released on November 29, revealed unauthorized access to several business email accounts, initiated through a malicious email attachment from a government address. Approximately 11,000 customers were impacted, with compromised data including names, birth dates, Social Security numbers (SSN), account numbers, and bank routing details.

An Indiana resident filed one lawsuit, alleging that the defendant didn’t receive a breach notification letter until January 18, 2024, months after the initial detection of suspicious activity in August of the previous year and the conclusion of the investigation in November. The plaintiff contends that the delayed notification worsened the impact on them and the proposed class by delaying critical protective actions for their personal information (PI). The plaintiff goes on to report that the defendant’s failure to properly notify plaintiff and members of the proposed class of the data breach exacerbated plaintiff and members of the proposed class’s injury by depriving them of the earliest ability to take appropriate measures to protect their personal information and mitigate possible harm.

Another lawsuit was initiated by a Texas resident, who claims the breach was due to the defendant’s inadequate cybersecurity measures, rendering the attack both foreseeable and preventable. This suit argues that reasonable security practices, such as data encryption or timely deletion of unnecessary data, could have safeguarded the personal information of the defendant and class members. The lawsuit aims to secure compensation for damages incurred from the breach, including lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach.

Email continues to be the preferred method for attackers aiming to penetrate organizations utilizing tactics like phishing and malicious attachments among others. Email attack methodologies have become advanced over the years as threat actors continue to refine their techniques. The challenge of detection intensifies when attacks are launched from seemingly recognized or trusted sources. Traditional email security solutions, much like signature-based antivirus programs, struggle to guard against sophisticated email threats that do not exhibit typical suspicious characteristics. These advanced solutions also play a critical role in alerting security teams to high-risk configuration alterations in user and mail tenant settings by constantly monitoring for deviations from established secure baselines or best practices. Despite these advancements, no solution can catch every attack, underscoring the importance of reinforcing email security with measures like multi-factor authentication (MFA) and geolocation restrictions.

HALOCK Security Labs provides Security Awareness Training and Penetration Testing to help organizations stay educated, implement proper security controls, and put their security investments (and people) to the test. You can also identify likely threats to your organizations through a Risk Based Threat Assessment.