Cyber Incident Victim: Jonas Fitness

On or around June 1, 2023, Jonas Fitness, Inc., a point-of-sale vendor based in Webster, Texas, experienced an external system breach. The incident was discovered on the same day it occurred. The breach was the result of hacking activity that compromised the company's systems. The unauthorized access led to the acquisition of personal information belonging to a total of 4,816 individuals. Among those affected, one was a resident of the state of Maine. The specific type of personal information that was acquired consisted of names or other personal identifiers in combination with driver's license numbers or non-driver identification card numbers. Social Security numbers were not involved in this particular incident, as indicated by the sample notification letter provided for affected individuals.

The entity, Jonas Fitness, Inc., reported the incident through its external counsel, Will Daugherty, a partner at the law firm Norton Rose Fulbright US LLP. The breach notification was formally submitted to the Office of the Maine Attorney General on May 31, 2023. The notification process for consumers was conducted via written letter. The letters to the affected individuals were sent out approximately two months after the discovery of the breach, with the notification date recorded as August 1, 2023. The company did not offer identity theft protection services to the victims of the breach. The reason for this decision was not elaborated upon in the provided notification details.

The impact of the breach was confined to the theft of specific government-issued identification details, which distinguishes it from incidents involving more comprehensive sets of personal data such as Social Security numbers or financial account information. The compromised data, however, still presents a risk of identity fraud and could be used for malicious purposes such as creating false identification. The scope of the breach was significant, affecting several thousand people across multiple jurisdictions, though the vast majority were not residents of Maine. The company's address was listed as a post office box in Texas, suggesting its operations and customer base may be distributed nationally.

The response actions undertaken by Jonas Fitness included the immediate discovery of the breach on the day it occurred, though the specific technical methods of detection were not detailed in the public notification. The company engaged external legal counsel to manage the regulatory compliance aspect of the incident, including the duty to inform the appropriate authorities and the affected population. The chosen method of consumer notification was direct written communication, which aligns with common practices for informing individuals of a data security incident. The timeline from breach discovery to consumer notification was a period of two months, which may have involved an internal investigation to determine the full scope and impact of the incident before commencing the notification process. The company provided a sample of the notification letter to the Maine Attorney General's office as part of its compliance with state breach notification laws.