Cyber Incident Victim: Carvin Software
Date:
Feb 2023
Location:
United States of America
Summary
A cybersecurity incident involving Carvin Software resulted in unauthorized access to sensitive consumer information after an intruder copied files from the company’s network over several weeks. The compromised data included names, Social Security numbers, and financial account details, impacting hundreds of thousands of individuals across numerous staffing-industry clients. The company detected suspicious activity, secured its systems, and initiated an investigation, determining that the breach exposed confidential data. Affected parties received notifications after the investigation concluded, and identity theft protection services were offered to mitigate potential risks. The incident affected clients of over 30 staffing firms relying on the company’s software solutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 22, 2023, an unauthorized party gained access to the computer network of Carvin Software, LLC, a Gilbert, Arizona-based software company specializing in customized staffing industry solutions. The breach persisted undetected until April 21, 2023, when Carvin Software discovered suspicious activity and initiated a response. The company isolated affected servers, secured its systems, and launched an investigation to determine the nature and scope of the incident. Forensic analysis confirmed threat actors had exfiltrated files containing sensitive consumer data over a 15-day period between February 22 and March 9, 2023. The compromised information included personally identifiable identifiers combined with financial details—specifically consumers' names, Social Security numbers, and financial account information with associated security codes or PINs. Investigation results revealed this external system breach impacted 356,871 individuals nationwide, including 5,679 Maine residents, making this one of the largest workforce management sector breaches reported that year.
Carvin Software completed its review of compromised files by May 2023 and commenced consumer notification procedures. On May 2, 2023, the company formally reported the breach to the Maine Attorney General's office, disclosing that data belonging to clients of 31 staffing agencies—including Ace Personnel, Labor Smart, and Terry Neese Personnel—had been accessed. Written breach notification letters disseminated on May 19, 2023, detailed the specific data elements exposed per individual and outlined remediation measures. All affected consumers received offers for 12 months of complimentary credit monitoring and identity theft protection services through IDX. The breach temporarily disrupted operations for Carvin Software's primary products—Arborsoft and Staffing Complete—though the 25-employee firm maintained business continuity while reinforcing network security protocols. Staffing agencies relying on these platforms faced secondary risks of targeted phishing campaigns exploiting the stolen credential combinations. No prior breach notifications had been filed by the $5 million revenue company within the preceding twelve months, indicating this incident represented a novel security failure in its fifteen-year operational history.