Cyber Incident Victim: Lyons Companies
Date:
Feb 2019
Location:
United States of America
Summary
A cybersecurity incident involving Lyons Companies stemmed from unauthorized access to two employee email accounts, with one compromised over an extended period and the other briefly. The investigation could not definitively confirm whether attackers viewed or exfiltrated data, but exposed information potentially included names, contact details, driver’s license numbers, financial account information, dates of birth, medical records and identifiers, diagnosis and treatment specifics, Medicare/Medicaid numbers, health insurance details, and—for a limited subset—Social Security numbers. The organization issued breach notifications to all potentially impacted individuals due to the uncertain scope of data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 12, 2019, Lyons Companies detected unusual activity within an employee email account, prompting an immediate investigation. The inquiry revealed unauthorized access to two separate employee email accounts. The first account had been compromised for an extended period spanning from February 4 to March 12, 2019, while the second account experienced unauthorized access limited to a few hours on March 12, coinciding with the initial detection date. The company launched a forensic investigation to determine the nature and scope of the breach, though investigators were unable to conclusively establish whether any specific data had been accessed or exfiltrated during these incidents. Lyons Companies did not publicly disclose the method of unauthorized access or whether external threat actors or internal misuse caused the compromise. The breach notification press release, issued nearly five months later on August 23, 2019, confirmed the company's inability to rule out potential data exposure despite the inconclusive findings. No evidence suggested the incident extended beyond the two email accounts, and Lyons Companies did not report system-wide network infiltration or additional compromised assets beyond these individual mailboxes. The timeline indicates a 36-day window of continuous access for the first account before detection, followed by immediate containment upon discovering the second breach.
The potentially exposed information varied by individual but included names, contact details, driver's license information, financial account data, dates of birth, medical record numbers, patient identifiers, clinical treatment details, Medicare/Medicaid IDs, and health insurance claims information. A minority of affected individuals faced potential exposure of Social Security numbers, though the notification did not quantify this subgroup or provide exact victim counts. Lyons Companies opted for comprehensive notification to all potentially impacted parties despite the investigation's inconclusive findings regarding actual data access, reflecting a cautionary approach to regulatory compliance and consumer protection. The breach notification acknowledged the presence of sensitive health information in the compromised email accounts but did not specify whether affected individuals were patients, clients, or business partners. No ransomware deployment, data destruction, or financial demands were reported in connection with the incident. The company's public response focused exclusively on email account intrusions without referencing subsequent security enhancements, forensic methodologies, or law enforcement involvement. Lyons Companies directed concerned parties to review their full notification for additional details but did not disclose whether credit monitoring or identity protection services were offered to affected individuals.