Cyber Incident Victim: BCD Travel

On May 29, 2023, an external system breach occurred at BCD Travel USA LLC, a commercial entity based at 2500 Cumberland Parkway, Suite 150, Atlanta, Georgia, 30339. The unauthorized access to the company's systems continued until June 1, 2023. The incident was not discovered until more than two months later, on August 2, 2023. The nature of the breach was an external system breach involving hacking. The specific attacker actions, methodologies, or the exact systems targeted were not detailed in the available information. The investigation into the breach determined that the acquired information included the name or other personal identifier of affected individuals in combination with their financial account number or credit/debit card number. This financial information was acquired along with the corresponding security code, access code, password, or PIN for the account, indicating a significant compromise of sensitive financial data.

The total number of persons affected by this breach was greater than 3,000 individuals. This figure included a confirmed total of four Maine residents among the overall impacted population. As the number of affected Maine residents did not exceed 1,000, there was no requirement to notify the consumer reporting agencies under the specific reporting guidelines mentioned. The primary impact of the incident was the acquisition of highly sensitive personal and financial information, which created a substantial risk of identity theft and financial fraud for the thousands of individuals involved. The exposure of names in direct combination with complete financial credentials, including authentication codes, heightened the potential for immediate misuse of the compromised data.

BCD Travel USA LLC engaged the legal services of Hogan Lovells US LLP in response to the incident. Paul Otto, a Partner at the firm, acted as the legal representative for BCD Travel and submitted the breach notification to the Maine Attorney General's office. The contact telephone number provided was 202-637-5887, and the email address was [email protected]. The company's response included arranging for identity theft protection services for the affected individuals. These services were offered through Experian and consisted of credit monitoring and identity protection. This offering was provided at no cost to the impacted individuals for a duration of one year.

The method of consumer notification was written notice. The letters sent to affected individuals, including the four Maine residents, were dispatched on August 11, 2023. This notification occurred approximately nine days after the breach was discovered on August 2nd. A sample of the consumer notice letter was provided to the Maine Attorney General's office as part of the compliance filing. The letter detailed the nature of the information involved and outlined the protection services being offered. The compromise of financial account numbers alongside associated PINs and security codes represented a direct threat to the financial security of the victims, necessitating the provision of credit monitoring to help detect any fraudulent activity resulting from the breach. The breach occurred over a concise period in late May and early June but remained undetected within the system for the entirety of July, indicating a potential delay in the organization's security detection capabilities. The full scope of the attack and whether data was exfiltrated or merely accessed was not publicly disclosed in the available notification. The response focused on notifying consumers and providing them with tools to monitor their financial accounts for signs of fraud.