Cyber Incident Victim: Afni, Inc.

On June 7, 2021, Afni, Inc. detected anomalous activity on its computer systems, prompting immediate engagement with third-party cybersecurity professionals to investigate the incident. The investigation confirmed unauthorized access to the company's systems on or before that date, with potential viewing or removal of sensitive consumer data. Afni subsequently conducted a comprehensive review of affected files to identify compromised information and impacted individuals. The compromised data included names, addresses, Social Security numbers, and dates of birth, with specific details varying by individual. Afni completed its internal review nearly one year after detection, determining the full scope of exposed personal information. The Bloomington, Illinois-based company, founded in 1936 as a collection agency, provides business services including digital engagement and call center operations across U.S. and Philippine offices.

Afni notified affected individuals through data breach letters mailed on June 14, 2022, exactly one year after confirming the security incident. The delayed notification timeline raised questions about potential risks to consumers, as exposed personal information could facilitate identity theft or fraud during the interim period. While the company did not publicly specify reasons for the delay, general industry explanations cited in coverage include ongoing law enforcement investigations, extended forensic analysis requirements, and time-intensive data mapping processes to identify victims. The breach impacted personally identifiable information (PII) critical to financial identity verification systems. No specific threat actor details, data exfiltration methods, or containment procedures were disclosed in the company's notification letters or public statements. Afni's disclosure emphasized the potential accessibility of sensitive consumer data to unauthorized parties without confirming actual misuse of information.