Cyber Incident Victim: iSpace
Date:
Jan 2023
Location:
United States of America
Summary
A staffing firm experienced unauthorized network access leading to the exposure of sensitive consumer data, including names, Social Security numbers, dates of birth, health insurance details, diagnosis and prescription information. The breach occurred over several days before detection, prompting the company to secure its systems and investigate. Following a review of compromised files, notifications were sent to affected individuals whose information was accessed from client-provided records. The incident potentially impacted multiple organizations affiliated with the company across technology, healthcare, and business sectors, though specific client breaches remain unconfirmed. Exposed data poses risks of identity theft and fraud for impacted consumers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 5, 2023, iSpace, Inc. detected suspicious activity within its computer systems, prompting immediate network security measures and an internal investigation to determine the nature and scope of the incident. The investigation revealed unauthorized access to and copying of files from iSpace's environment during a seven-day period between January 30, 2023, and February 5, 2023. Forensic analysis confirmed that the compromised files contained sensitive consumer information provided to iSpace through its business services. The company completed its review of affected data on March 3, 2023, identifying specific categories of exposed personal information including full names, Social Security numbers, dates of birth, medical diagnosis details, prescription information, health insurance policy/group numbers, subscriber numbers, and other health insurance-related data. The breach stemmed from unauthorized third-party infiltration of iSpace's network infrastructure where client-provided consumer records were stored.
iSpace formally notified the Montana Attorney General's office of the breach on May 31, 2023, and initiated mail notifications to affected individuals the same day. While the company did not publicly disclose the total number of impacted consumers or specific client organizations affected, its website listed affiliations with twelve entities including the Southland Technology Conference, Los Angeles Chamber of Commerce, UCLA Anderson School of Management, and multiple professional associations across healthcare, technology, and business sectors. The compromised data exposed victims to potential identity theft and fraud risks due to the inclusion of government-issued identifiers and protected health information. As a staffing and technology services provider handling sensitive records for clients in healthcare, artificial intelligence, and data analytics sectors, the breach implicated consumer data entrusted to iSpace through its business process service operations. No ransomware deployment or specific attacker methodologies were detailed in the company's public filings or breach notification statements.