Cyber Incident Victim: People Inc.

People Inc., a major nonprofit human services agency in western New York, discovered a data breach on February 19, 2019, involving unauthorized access to at least one employee email account. Forensic analysis indicated an unknown attacker infiltrated the account, potentially exposing sensitive information of up to 1,000 current and former clients. A second email account was suspected of compromise but remained unverified. The compromised accounts contained highly sensitive client data including full names, physical addresses, Social Security numbers, financial records, medical histories, health insurance details, and government-issued identification documents. The organization provides residential care, employment assistance, healthcare, and community programs for seniors, individuals with disabilities, and vulnerable populations, making the exposed data particularly sensitive.

Initial investigation suggested the primary breach vector was a weak password on the first email account, potentially vulnerable to brute-force attacks. People Inc. secured the account through a password reset and proactively disabled the second suspicious account. The nonprofit engaged a cybersecurity forensics firm to investigate the incident's scope and reported the breach to the FBI. No evidence emerged of actual misuse of the stolen data as of the disclosure date. On May 29, 2019—over three months after detection—People Inc. notified affected clients and offered complimentary credit monitoring services. The delayed notification period reflected the time required for forensic analysis and law enforcement coordination. The breach highlighted risks associated with email account security in handling protected client information across healthcare and social service operations.