Cyber Incident Victim: CBIZ, Inc.

On or around May 29, 2023, CBIZ, Inc., a commercial organization based in Cleveland, Ohio, experienced a significant external system breach. The security incident, characterized as hacking, persisted for over a week, with the unauthorized access continuing until June 5, 2023. The breach was not discovered until approximately two months later, on August 10, 2023. The investigation determined that the attacker successfully acquired sensitive personal information. The compromised data included the names of individuals in combination with their Social Security Numbers. The total number of persons affected by this incident was 35,843, which included 30 residents of the state of Maine.

In response to the breach, CBIZ, Inc. engaged outside counsel for legal assistance. The notification of the incident was submitted to the Maine Attorney General's office by a partner from the law firm Baker & Hostetler LLP. The entity undertook a written notification process to inform all affected individuals. These notifications were dispatched to consumers on September 1, 2023. As part of its response, CBIZ, Inc. offered complimentary identity theft protection services to the victims. These services were provided by Kroll and included credit monitoring and identity theft protection. The offering of these services was a direct measure to help mitigate the potential harm stemming from the exposure of highly sensitive Social Security numbers.

This incident involving CBIZ was part of a broader pattern of cyber attacks occurring during the same timeframe. On the same start date, May 29, 2023, MCPHS University, an educational institution in Boston, Massachusetts, also suffered an external system breach. This separate hacking incident also lasted until June 5, 2023. The university discovered the breach significantly later, on September 27, 2023. The information acquired was identical to the CBIZ breach: names paired with Social Security Numbers. A total of 899 individuals were affected, including six Maine residents. MCPHS University offered affected individuals 12 months of credit monitoring and identity theft protection services, also through Kroll. Their written consumer notifications were sent later, on November 3, 2023.

A third, temporally proximate incident was reported by Serco, Inc., a commercial organization based in Herndon, Virginia. This breach occurred on May 31, 2023, and was discovered on July 3, 2023. It was also described as an external system breach or hacking event. The attacker acquired the same class of data: names in combination with Social Security Numbers. The breach impacted 10,140 people, including 39 Maine residents. Serco, Inc. provided written notification to consumers on August 1, 2023, and offered one-year complimentary identity theft protection and credit monitoring services through a different provider, NortonLifeLock.

The primary impact of the CBIZ breach was the large-scale exposure of personally identifiable information, specifically Social Security Numbers. This type of data is highly sensitive and can be used for identity theft, financial fraud, and other malicious purposes. The consequences for the 35,843 affected individuals included an elevated risk of these crimes. The organizational impact involved the operational cost of investigating the breach, notifying victims, and providing protective services. The breach also necessitated regulatory compliance, as evidenced by the formal submission of a breach notification to the Maine Attorney General. The scope of the incident was national, affecting individuals across multiple states, with a confirmed subset of victims residing in Maine. The response actions focused on victim notification and the provision of protective measures to help safeguard their identities and credit. The engagement of external legal counsel indicated the seriousness with which CBIZ addressed the incident and the associated legal and regulatory obligations. The breach's duration of over a week suggested a sustained period of unauthorized access to the company's systems. The two-month gap between the breach's end and its discovery points to a potential delay in detection capabilities. The specific attacker actions, methodologies, or initial attack vectors used to compromise the CBIZ systems were not detailed in the available information. Similarly, the exact systems or servers targeted within the CBIZ infrastructure were not specified. The containment measures undertaken by CBIZ to eject the threat actor and secure their systems following the discovery on August 10 were not described in the public notification. The incident reflects the ongoing threat posed by cyber actors targeting organizations to exfiltrate sensitive personal information for criminal purposes.