Cyber Incident Victim: doTERRA

In April 2016, doTERRA, a Utah-based essential oil company, notified customers and distributors of a potential data breach involving their third-party data hosting and software service provider. The breach occurred the previous month, in March 2016, and exposed sensitive personal information belonging to the company's clients and business partners. According to notification letters dated April 18, 2016, the compromised data included names, Social Security numbers or other identification numbers, payment card information, dates of birth, postal and email addresses, telephone numbers, usernames, and passwords. The company did not disclose specific details about how the breach occurred or the identity of the affected third-party provider. doTERRA initiated customer notifications promptly after discovering the incident, indicating the breach involved external systems rather than their direct infrastructure.

The company reported that at least 2,330 New Hampshire residents were affected by the breach, though the total number of impacted individuals across all jurisdictions remained undisclosed. Copies of the notification letter appeared on the official websites of both the California and New Hampshire Attorneys General, demonstrating compliance with state breach notification laws. The breach exposed multiple categories of sensitive data that could facilitate identity theft or financial fraud, creating significant risks for affected individuals. doTERRA's notification advised customers to monitor their accounts and credit reports but did not specify whether the company offered complimentary credit monitoring services. The incident highlighted supply chain vulnerabilities through third-party service providers while leaving unanswered questions about the attack vector, duration of unauthorized access, and full geographic scope of affected customers beyond the confirmed New Hampshire cases.