Cyber Incident Victim: Digital Air Strike

In June 2016, Toronto-based digital marketing agency DAC Group suffered a security breach resulting in the theft of 93,000 customer accounts. The incident gained significant attention due to the inclusion of 77,000 accounts belonging to State Farm, a major U.S. insurance and financial services provider. Cyber intelligence firm Hacked-DB, led by Atar Kochavi, identified the leaked data through darknet monitoring, discovering folders containing encrypted passwords, first and last names, geolocation data, usernames, and role-related information tied to website functions. The breach exposed accounts associated with multiple organizations beyond State Farm, including those using email domains from Shoppersdrugmart.ca, Cooperators.ca, and various free email providers. DAC Group confirmed the breach originated from an isolated development server rather than production systems, though the presence of State Farm customer data contradicted their claim of only storing publicly available information.

DAC Group publicly acknowledged the breach after being contacted by media outlet HackRead, characterizing it as limited to non-production systems. The company initiated an internal review, enhanced development server security, and began notifying affected clients through communications directed by executive Nasser Sahlool. Forensic analysis suggested DAC had improperly used production data in development environments, a practice that amplified breach consequences despite password encryption. State Farm's substantial exposure through a third-party vendor highlighted supply chain vulnerabilities, though neither DAC nor State Farm disclosed specific remediation steps taken for compromised policyholders. The incident underscored risks associated with marketing agencies storing client customer data without adequate segmentation between development and production environments.