Cyber Incident Victim: Overseas Service Corporation
Date:
Mar 2021
Location:
United States of America
Summary
Overseas Service Corporation experienced a phishing email attack that compromised a small number of email accounts, potentially exposing names alongside sensitive data such as Social Security numbers, financial account details, payment card information, driver's license numbers, and limited medical records. The organization initiated notifications to affected individuals via mail and established a dedicated call center for inquiries, though it confirmed no evidence of actual data misuse. Additional security measures were implemented following the incident to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 10, 2021, Overseas Service Corporation (OSC) disclosed a phishing email incident that compromised a limited number of email accounts within its computer environment. The unauthorized access occurred after employees interacted with phishing emails, though the exact timeline of initial compromise and detection was not specified in public notifications. Attackers gained access to information stored within the affected email accounts, which included individuals’ names combined with sensitive personal data. Exposed data categories encompassed Social Security numbers, financial account details such as checking account numbers, payment card information, driver’s license numbers, and limited medical or health information. OSC did not confirm whether unauthorized actors actually viewed or exfiltrated the data, nor did it specify the number of affected individuals or email accounts. The organization acknowledged the incident’s potential impact on both employees and other individuals whose data resided in the compromised accounts but did not clarify the exact scope beyond confirming the involvement of health-related information. No evidence of data misuse was identified at the time of disclosure.
OSC initiated a notification process on March 10, 2021, mailing letters to individuals whose information was confirmed as exposed and for whom the organization possessed valid mailing addresses. For individuals lacking address records, OSC published a substitute notice on its website to fulfill disclosure obligations. The company established a dedicated call center operational Monday through Friday from 8:00 A.M. to 5:30 P.M. Central Time, accessible via 1-855-498-2033, to address inquiries about the incident. Affected parties were directed to OSC’s website for additional resources, including a PDF document outlining recommended protective measures for personal information. While OSC did not detail the specific technical vulnerabilities exploited in the phishing campaign, it announced the implementation of additional security measures to prevent similar incidents. The breach notification did not reference regulatory filings with entities like HHS, suggesting potential exemptions based on incident scale or data types involved. OSC’s public statement emphasized transparency through its press release and direct communications but avoided disclosing operational specifics about the attack methodology or post-incident forensic findings.