Unraveling ComplyRight’s Data Breach
After a data breach, a company’s warning letter was borne with scrutiny by some recipients who believed it to be a scam.
A third party consulting company, ComplyRight, recently sent a letter notifying recipients that a data breach had taken place and that personal information stored on the company’s website may have been accessed by a malicious party.
Once made aware of the issue ComplyRight temporarily disabled their platform to deal with it. A third party forensic investigation of the company’s systems concluded that there had indeed been unauthorized access to sensitive data, and in an abundance of caution ComplyRight has offered to pay for 12 months of free credit monitoring and identity theft protection services.
In the letter from ComplyRight, dated July 13, 2018, the company admits it became aware of a potential issue with their web platform on May 22, 2018. Research into the incident revealed that between April, 20, 2018 and May 22, 2018, someone had gained unauthorized access to its the company’s systems. On June 14, 2018, ComplyRight became aware of specific cases of sensitive data having been accessed or viewed.
ComplyRight isn’t the first company to feel the sting of a data breach. The rash of recent security issues experienced by big business have affected consumers far and wide.
As of yet there have been no reports or evidence that the data accessed has been used for nefarious purposes. Still, it is recommended that consumers who receive any notice from the company take protective measures by either placing a fraud alert with one of the three major credit reporting companies: Transunion, Equifax, or Experian, and/or putting a security freeze on your credit file by sending a request in writing via mail to all three of them.
ComplyRight did not initially announce the breach on its page, nor social media feed, making it difficult to corroborate the letter with any published resources. As a result, some who initially received the letter expressed skepticism over its authenticity, fearing that resources provided in the letter may have lead to more elaborate phishing attempts.
I reached out to find out what was going on since there wasn’t much clear and received correspondence from ComplyRight President, Susan Drenning, who was able to let me know the letter sent out to consumers informing them of the data breach was indeed legitimate.
“ComplyRight takes the privacy and security of personal information very seriously. We recently became aware of a security incident involving some of the personal information that was maintained on the tax form preparation websites using our platform. At this time, we are contacting all site users and payers associated with those tax form recipients that are impacted — as well as the tax form recipients directly — to share the steps we have undertaken since discovering the incident, and to provide guidance on what impacted individuals can do to protect themselves.”
In the email correspondence with Drenning I was provided a link a security notice published by ComplyRight on July 18, 2018, and which appears on the company’s newsroom on the main site.
According to the notice, less than 10 percent of individuals whose tax forms were prepared using the ComplyRight web platform may have had their records accessed including names, addresses, phone numbers, email addresses, and Social Security numbers of individual tax form recipients.
The notice attempts to clarify confusion about the letter sent to individuals:
“ComplyRight provides a web platform used by a number of different tax form preparation websites. On behalf of those organizations and our clients, we executed the communication plan to advise those affected as promptly as possible.
This is not a scam, and we apologize for any confusion that may have arisen due to your lack of familiarity with our company.”
ComplyRight indicated that it has reported the incident to the proper authorities, and that no user or payer’s bank account information was included among the data breach. In addition the company has committed itself to provide addition updates to the public when they become available.
The MetaCert Protocol is a trust and reputation threat intelligence system for verifying web resources. It addresses a number of attack vectors, encompassing solutions for anti-phishing, child safety, brand protection, crypto-address verification, and news credibility. Find out more about the MetaCert Protocol, ask questions, and leave suggestions on both our White Paper and Technical Paper. You can also join our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite to protect yourself from phishing scams before it’s too late.
