Cyber Incident Victim: CBC Group
Date:
Jun 2022
Location:
United States of America
Summary
CBC Group experienced a cybersecurity incident where an unauthorized party accessed its network, potentially compromising sensitive consumer data including names, Social Security numbers, driver's licenses or government IDs, financial account details, and passport information. The company secured its systems, engaged law enforcement and external cybersecurity experts, and conducted a review to identify affected individuals. Notification letters were subsequently sent to impacted parties, accompanied by an offer of complimentary credit monitoring services for one year. The breach impacted multiple personal identifiers and financial data elements, prompting the organization to implement response measures aimed at mitigating further risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 23, 2022, CBC Group, Inc. discovered it had been targeted in a cyberattack, prompting immediate containment measures including system security enhancements, FBI notification, and engagement of external cybersecurity experts to investigate the incident. The investigation confirmed unauthorized access to CBC's network with potential data exfiltration, though specific intrusion methods or attacker identities remained undisclosed. By August 16, 2022, CBC completed its forensic review of compromised files, determining that attackers accessed sensitive consumer information including full names, Social Security numbers, driver's licenses or government ID numbers, financial account details, and passport numbers. The breach impacted an unspecified number of individuals whose data resided on CBC systems, with exposure timelines not publicly detailed. On September 2, 2022, CBC formally reported the breach to the Montana Attorney General and initiated mailed notifications to all affected parties, fulfilling regulatory disclosure requirements 71 days after initial intrusion detection.
CBC Group's breach notification letters confirmed the compromise of multiple high-sensitivity data categories capable of facilitating identity theft or financial fraud, though the exact number of victims and geographic distribution were not disclosed in regulatory filings. The Phoenix-based retail holding company, which operates 11 brands including Santa Barbara Design Studio and Christian Brands Catholic, attributed the delayed notification timeline to the complexity of manually reviewing affected files across its network over 54 days. As remediation, CBC offered impacted individuals 12 months of complimentary credit monitoring services but did not disclose whether systems were fully remediated or if ransomware was involved. No operational disruptions or financial losses beyond data compromise were reported by the company, which employs 136 staff and generates $33 million annually. The incident marked at least the second major breach affecting Montana residents reported in 2022 under state disclosure laws requiring notification within 60 days of breach confirmation.