14 DAY TRIAL // Sensitive information belonging to individuals who had their background checked through the investigation services of CICS Employment Services managed to slip into the hands of an unauthorized entity.
CICS was alerted by the FBI that data from applications had been leaked to a third party and an investigation of the company's computer network has been deployed, both by the law enforcement agency and the company.
However, unlike other data breach incidents, in this case there was no evidence of a compromise; as such, there is no information on the date the leak occurred.
“The FBI’s forensic examinations of relevant portions of our computer network, database and third party storage provider revealed no evidence of any compromise,” Alex Ward, owner of the company says in the letter addressed to the affected individuals.
CICS also contracted the services of an independent forensics firm to determine if the security measures enabled by the company have been bypassed. The results were the same as the FBI’s: no sign of compromise.
According to the company, the information accessed without authorization includes names, addresses, dates of birth, and Social Security numbers. This is more than enough for cybercriminals to engage in identity theft operations and apply for credit in the name of the victims.
In order to prevent fraudulent activity targeting its clients, CICS offers free subscription for one year to an identity protection service.
To make sure that the personally identifiable information of its clients is safe, “and due to our concerns about it being a vendor related breach,” the company switched to a different web host and ensured that all the data on their network was encrypted.
[UPDATE, February 10]: Many readers have expressed their belief that the notification letter from CICS is a scam because they have not applied for a job in a very long time.
CICS is not an employment agency, despite the name of the company suggesting so. The services it provides are investigative in nature, meaning that it runs background checks on employees at the request of their employers.
Those receiving the letters have had personal information exposed as a result of their company requesting CICS to do a background check on them.
CICS issued the notification letter after receiving an alert from the FBI about a possible data leak. As per the law in many US states, companies are required to notify the office of the Attorney General when personally identifiable information of a larger number of individuals has been exposed.
The notification letter linked to in the article above is from the office of Attorney General in Vermont, but offices in other states received it too, such as the one in California.