Cyber Incident Victim: Gensler
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident impacted Gensler due to a third-party breach involving its MOVEit file transfer software. The unauthorized access resulted in the acquisition of names and Social Security Numbers for thousands of individuals. The firm discovered the intrusion and subsequently offered affected persons two years of identity theft protection services, including credit monitoring and fraud consultation provided by Experian IdentityWorks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A data security incident occurred involving M. Arthur Gensler, Jr. & Associates, Inc. The event was a third-party breach impacting the company's use of the MOVEit file transfer software from Progress. The unauthorized access to the software took place over a period of time, specifically from May 15, 2023, to May 31, 2023. The breach was not discovered by the organization until a later date, which was June 23, 2023. The specific technical details regarding the initial intrusion, the methods used by the threat actor to exploit the MOVEit software, and the exact timeline of access within that window were not detailed in the provided notifications.
The total number of individuals affected by this security event was 4,457 people. This figure represents the total number of persons impacted, including residents from various jurisdictions. Among this population, a single individual was identified as a resident of the state of Maine. The personal information that was acquired during the breach consisted of an individual's name or another personal identifier in combination with their Social Security Number. The compromise of this specific type of sensitive data elevated the severity of the incident due to the high risk of identity theft and financial fraud it presents to the affected individuals.
In response to discovering the breach, M. Arthur Gensler, Jr. & Associates, Inc. engaged external legal counsel, specifically Baker & Hostetler, LLP, to manage the incident response and notification process. The firm, represented by Partner David B. Sherman, acted on behalf of the company to fulfill its legal obligations. The company determined that the appropriate form of notification was written communication, which was sent directly to all affected individuals. The mass mailing of these notices was conducted on August 9, 2023.
As a remedial measure to help protect the affected individuals from potential misuse of their stolen personal information, the company offered identity theft protection services to every notice recipient. The service provided was through Experian IdentityWorks. This offering included a comprehensive suite of protections, specifically two full years of credit monitoring, access to fraud consultation services, and identity theft restoration support. The duration of this coverage was set for a period of twenty-four months from the time of enrollment.
The entity involved was identified as an "Other Commercial" organization. The company's address was listed as 500 S. Figueroa St. in Los Angeles, California, with a zip code of 90071. This incident was formally reported to the Office of the Maine Attorney General as required by state law due to the involvement of at least one Maine resident. The submission included copies of the notice that was sent to the affected Maine residents, titled "ELN-18635 Gensler-Non CA, MA 24 months r2prf.pdf" in one filing and "_Gensler - Letter Proof.pdfGensler ME Appendix.pdf" in another. The company also confirmed that there had been no previous breach notifications submitted within the twelve months preceding this incident.