Cyber Incident Victim: ISCorp

On May 31, 2023, Pear Tree Advisors, Inc., a commercial entity operating from 55 Old Bedford Rd in Lincoln, Massachusetts, experienced an external system breach. The breach was discovered on the same day it occurred, indicating a potential immediate detection of the unauthorized access or intrusion activity. The nature of the incident was categorized as an external system breach resulting from hacking. This classification points to an intrusion by an external threat actor who successfully compromised the company's information systems. The specific technical vector of the attack, such as malware, phishing, or exploitation of a software vulnerability, was not detailed in the available notification.

The information acquired during this breach was highly sensitive. The intruder successfully exfiltrated personal data that included the names of individuals in combination with their Social Security Numbers. This type of data combination is particularly critical as it provides the core elements necessary for identity theft and financial fraud. The breach impacted a total of 6,792 individuals. Among this larger group, 26 were identified as residents of the state of Maine. The disparity in numbers suggests that Pear Tree Advisors, while based in Massachusetts, holds data on a clientele or affected persons distributed across multiple states, with Maine representing a small fraction of the total impacted population.

The entity undertook a response process following the discovery of the breach. Pear Tree Advisors engaged outside legal counsel to manage the incident response and notification procedures. The firm Pierce Atwood LLP, with attorney Peter Guffin acting as the representative, was retained for this purpose. Mr. Guffin served as the official submitter of the breach notification to the Office of the Maine Attorney General. His contact information, including telephone number and email address, was provided as part of the formal filing, establishing a point of contact for the regulatory authority.

A period of over one month elapsed between the discovery of the breach on May 31 and the subsequent notification to consumers. The company determined that written notification was the appropriate method for informing the affected individuals. These written notices were dispatched to all 6,792 impacted persons on July 7, 2023. The time gap between discovery and notification is consistent with a standard incident response timeline that includes a thorough investigation to determine the full scope of the compromise, forensic analysis to understand the attack methodology, and the logistical preparation required for a mass mailing of notification letters.

A copy of the notice sent to the affected Maine residents was provided to the Maine Attorney General's office under the filename `EXPERIAN_Job42179d07_PearTreeAdvisors_SAS_2(16203667.1).pdf`. This document would have contained the specific details communicated to the victims, including a description of the event, the type of their personal information that was involved, and the steps the company was taking in response. Furthermore, Pear Tree Advisors confirmed that no previous breach notifications had been issued for any separate incident within the preceding 12-month period, indicating this was a standalone event during that timeframe.

As a remedial measure to mitigate potential harm to the victims, Pear Tree Advisors offered identity theft protection services to all affected individuals. The provider of these services was Experian IdentityWorks. The company committed to providing a 24-month subscription to this service for each person whose data was compromised. The suite of protections included daily online access to credit reports from the three major bureaus, enabling individuals to continuously monitor for any suspicious activity. The service also featured comprehensive credit monitoring, which would alert subscribers to key changes in their credit files that could indicate attempted fraud.

Beyond monitoring, the offered protection included identity-restoration assistance. This service provides victims with access to specialists who can guide them through the process of recovering their identity and repairing the damage if identity theft does occur as a result of the exposed information. Additionally, the offering was backed by a $1 million identity theft insurance policy. This insurance coverage is designed to help cover certain costs and expenses associated with the identity restoration process, such as legal fees, lost wages, and other related costs. The offering of such services is a common practice intended to provide a tangible safeguard for victims following a breach involving highly sensitive personal identifiers.

The breach was formally reported to the Maine Attorney General's Consumer Protection division, which maintains a public registry of data security breaches affecting state residents. The reporting entity was classified as an "Other Commercial" organization. The submission included all required entity information, details of the breach itself, and a comprehensive accounting of the notification and protection measures undertaken. The total number of Maine residents affected, being 26, was below the 1,000-person threshold that would have required additional formal notification to consumer reporting agencies under typical state laws.