Cyber Incident Victim: DAC Group

In early June 2016, unidentified hackers breached servers belonging to DAC Group, a Toronto-based digital marketing agency with offices across North America. The incident resulted in the theft and leak of approximately 93,000 customer accounts, with 77,000 belonging to clients of State Farm – a major U.S. insurance and financial services company based in Bloomington, Illinois. Cyber intelligence expert Atar Kochavi of Hacked-DB identified the leaked datasets during darknet monitoring, revealing compromised information including encrypted passwords, first and last names, geolocation data, usernames, and role-related information tied to DAC's web structure. Additional affected organizations included Shoppers Drug Mart, The Cooperators, Home Instead, and Manpower, identifiable through email domains in the leaked data. The breach exposed DAC's practice of storing production data within development environments, contrary to security best practices that recommend data anonymization in non-production systems.

DAC Group confirmed the breach through a statement provided to HackRead via Facebook, characterizing it as an illegal intrusion affecting "limited amounts of data from a single, isolated development server" rather than production systems. The company asserted they only handled publicly available information and stored no sensitive personal data, though the leaked records contradicted this claim. Following an internal review, DAC enhanced security measures on the compromised development server and initiated communications with affected clients, directing inquiries to executive Nasser Sahlool. The incident highlighted operational vulnerabilities in DAC's data management practices, particularly the exposure of third-party client information through inadequate environment segregation. State Farm's substantial representation among compromised accounts underscored the potential ripple effects of marketing agencies maintaining large client datasets without appropriate safeguards.