Cyber Incident Victim: Enders
Date:
Apr 2020
Location:
United States of America
Summary
An insurance firm experienced a data breach when an employee's email account was compromised, potentially exposing sensitive personal and medical information including names, Social Security numbers, financial account details, and health records. The organization discovered the incident shortly afterward and conducted an investigation to determine impacted individuals, ultimately notifying affected parties despite finding no evidence of data misuse. The breach impacted multiple categories of personally identifiable information and protected health data stored within the compromised email system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The data breach affecting Colonial Park Realty Co., operating as Enders Insurance, began with unauthorized access to an employee’s email account in April 2020. The compromise was discovered on May 7, 2020, triggering an investigation to determine the scope and impacted individuals. Enders Insurance did not disclose the exact method of initial compromise or the duration of unauthorized access prior to detection. The investigation focused on identifying which sensitive customer information was exposed through the breached email account. No evidence suggested misuse of the accessed data at the time of discovery, according to the company’s statements.
Enders Insurance determined that the compromised data included personally identifiable information such as names, dates of birth, Social Security numbers, driver’s license numbers, and passport numbers. Financial and medical details were also exposed, encompassing payment card information, bank account data, health insurance specifics, and medical treatment or diagnosis records. The company issued notifications to affected customers in February 2021, nearly ten months after discovering the breach, citing an abundance of caution despite lacking evidence of data misuse. Public disclosure occurred via a press release and a statement on Enders’ website, though the firm did not specify remediation steps beyond notification. The incident exposed multiple categories of high-sensitivity data but did not result in publicly confirmed cases of identity theft or fraud linked to the breach at the time of reporting.