Cyber Incident Victim: Accreditation Audit & Risk Management Security, LLC

On April 3, 2018, Accreditation, Audit & Risk Management Security, LLC (AARMS), a third-party vendor providing online audit and inspection management systems to the Pennsylvania Department of Corrections (DOC), experienced an unauthorized security incident. The breach involved unauthorized access to AARMS’s system, with a portion of stored data exported by the attackers. The DOC utilized this system to conduct, manage, and track audits and inspections related to its accreditation and internal operations. AARMS notified the DOC of the incident on April 9, 2018, six days after the breach occurred. The vendor confirmed that its system had been compromised but did not disclose the specific methods of unauthorized access or the identity of the threat actors.

The compromised data potentially included full names, driver’s license numbers, home addresses, Social Security numbers, and medical information belonging to DOC employees, inmates, and other individuals associated with the department. The exact scope and contents of the exfiltrated data remained unconfirmed at the time of the DOC’s public disclosure on July 23, 2018. In response, the DOC issued individual notification letters to all potentially affected parties, advising them of the risks posed by the exposure of their personal information. No details were provided regarding the number of individuals impacted, forensic findings about the attack vector, or subsequent security improvements implemented by AARMS. The DOC’s public statement emphasized the vendor’s role in the incident but did not describe any coordinated remediation efforts beyond notifications.