Cyber Incident Victim: Emmi Roth USA

On August 10, 2023, Emmi Roth USA, Inc., a commercial entity based at 5525 Nobel Drive, Suite 100 in Fitchburg, Wisconsin, discovered it had fallen victim to a significant cybersecurity incident. The company identified that a third party had gained unauthorized access to its information technology environment on that same date, classifying the event as an external system breach resulting from hacking. The discovery prompted an immediate and decisive response from the organization, which deployed pre-existing security measures to contain and mitigate the threat. These substantial security controls, implemented prior to the incident, proved effective, allowing the company to contain the threat within a few hours and quickly return to a normal state of business operations. Following the containment, Emmi Roth retained an external incident response team to accelerate its recovery efforts and proactively notified the Federal Bureau of Investigation (FBI) of the breach, offering assistance with the ensuing investigation.

An internal investigation was launched to determine the scope and impact of the cyberattack. The investigation revealed that the unauthorized third party had gained access to certain Emmi Roth files and records. The compromised data contained sensitive personal information related exclusively to individuals associated with the company's workforce. Specifically, the impacted data pertained to current and former employees of Emmi Roth USA, Inc. itself, as well as current and former employees of certain Emmi Roth affiliates and subsidiaries. The company was explicit in its public communication that it does not retain sensitive personal data on its customers, clients, or suppliers; therefore, no data belonging to those groups was involved in this security breach. The specific affiliates and subsidiaries whose employee data was impacted were not named in the public notification.

The type of personal information acquired during the breach was a name or other personal identifier in combination with a Social Security Number. In total, the incident affected 1,310 individuals. Among those affected, one was identified as a resident of the state of Maine. The compromised nature of this data, particularly the inclusion of Social Security numbers, elevated the potential risk of identity theft for the impacted individuals, necessitating a formal response and mitigation strategy from the company.

Emmi Roth undertook the process of notifying all affected individuals. The type of notification provided was written correspondence. The company stated that it was in the process of sending detailed letters to its current employees to inform them of the incident and the steps being taken. For former employees of Emmi Roth or its affiliated entities, the process involved contacting a dedicated call center to determine their eligibility for protective services. The dates for consumer notification were set for September 15, 2023, which provided a timeline of slightly over a month from the discovery date for the company to complete its investigation and prepare the necessary communications.

Out of an abundance of caution, and despite there being no indication that any of the sensitive personal data involved had been misused or would be misused in the future, Emmi Roth offered complimentary credit monitoring and identity theft protection services to all individuals impacted by the breach. These services were provided through Equifax and included a comprehensive package. The offering consisted of a 24-month subscription to Equifax Premier™ and Equifax Child Monitoring services, designed to provide ongoing surveillance of credit reports and alert individuals to potentially fraudulent activity. Current employees received instructions on how to enroll in these services directly within their mailed notification letters, while former employees were directed to inquire through the established call center to ascertain their eligibility and receive enrollment guidance.

To manage the influx of inquiries and provide support to concerned individuals, Emmi Roth established a dedicated call center. This resource was made available to answer questions about the incident and was reachable at 844-709-1704. The call center operated during extended hours, from 9:00 a.m. to 9:00 p.m. Eastern Standard Time, Monday through Friday. In addition to the call center, the company published a Frequently Asked Questions (FAQ) sheet on its website to address common concerns and provide clear, accessible information about the breach, the response, and the resources available to those affected. The company emphasized its commitment to ensuring everyone had answers to their questions and concerns regarding this event.

The incident was reported to the appropriate authorities as required by law. The submission to the Maine Attorney General's office, a measure triggered by the breach affecting a resident of that state, was handled by Steven G. Stransky, a partner at the law firm Thompson Hine, who acted as a Breach Coach for Emmi Roth. This filing confirmed the details of the breach, including the date of occurrence, the date of discovery, the number of individuals affected, and the types of data compromised. The report also confirmed that because the number of affected Maine residents was only one, and therefore did not exceed one thousand, there was no requirement to notify the consumer reporting agencies as part of that specific regulatory obligation. The company's approach demonstrated a structured effort to comply with data breach notification statutes and to provide transparency regarding the event.

The breach at Emmi Roth serves as an example of a contained cyber incident where pre-established security controls played a critical role in limiting the duration of unauthorized access and facilitating a swift recovery. The company’s response highlights a coordinated effort involving internal teams, external cybersecurity experts, and law enforcement. The focus of the response was squarely on mitigating potential harm to the individuals whose sensitive information was exposed, with a significant investment in protective services to safeguard their financial identities. The communication strategy aimed to provide clear channels of information for both current and former employees, acknowledging the different notification paths required for each group while maintaining a consistent message about the support and resources being offered.