Cyber Incident Victim: Educational Enrichment Systems, Inc.

Educational Enrichment Systems, Inc. (EES), a provider of preschool services in partnership with school districts and agencies, experienced a data security incident involving unauthorized access to an employee email account. The breach was first detected on August 30, 2019, when EES identified unusual activity associated with the account. An internal investigation supported by forensic experts determined the unauthorized access occurred over a seven-week period between May 27, 2019, and July 15, 2019. While investigators found no evidence that threat actors accessed, attempted to misuse, or actually misused sensitive information during this timeframe, EES conducted a comprehensive review of the compromised account's contents to assess potential exposure. This review confirmed the presence of sensitive personal data within emails and their attachments stored in the account.

The types of information potentially exposed included affected individuals' names, physical addresses, Social Security numbers, financial account details, health insurance information, student education records, and medical history or treatment information. EES initiated individual notifications to persons whose data was present in the breached email account, though the exact number of affected individuals was not disclosed in the public notice. As a precautionary measure, the organization offered complimentary credit monitoring and identity protection services to those impacted. EES publicly disclosed the incident through a press release on its website in February 2020, approximately six months after discovering the breach, emphasizing its commitment to information security while acknowledging the event's potential consequences for data confidentiality. The organization did not report evidence of system-wide compromise beyond the single employee email account or specify whether credentials were compromised through phishing or other attack vectors.