Cyber Incident Victim: CIC Group

On April 24, 2023, CIC Group, Inc. filed a formal notice of a data breach with the Texas Attorney General’s Office. This filing was made after the company learned that confidential consumer information entrusted to it had been subject to unauthorized access. The company’s official filing indicated that the incident resulted in an unauthorized party gaining access to consumers' names, addresses, and Social Security numbers. The discovery of a potential data security incident triggered an internal company investigation. This investigation confirmed that certain confidential information within the company’s possession had indeed been accessed without authorization.

Following the confirmation that sensitive consumer data had been exposed to an unauthorized party, CIC Group undertook a review of the affected files. The purpose of this review was to determine the specific nature of the information that had been compromised and to identify which consumers were impacted by the breach. The company determined that the breached information varied from individual to individual but consistently involved the exposure of personal identifiers. The compromised data types included names, addresses, and Social Security numbers. The investigation into the scope of the breach revealed that 1,713 individuals residing in the state of Texas alone were affected by this incident.

Upon completing its review of the compromised files, CIC Group, Inc. initiated the process of notifying all individuals whose information was compromised as a result of the data security incident. On April 24, 2023, the same day as the filing with the Texas Attorney General, the company began sending out data breach notification letters to these impacted individuals. The notifications served to inform consumers about the breach and the specific types of their personal information that were involved. The company’s public communication regarding the breach at that time was limited to the required filing with the Texas Attorney General; it had not yet posted a notice of the incident on its own corporate website.

CIC Group, Inc. is a commercial and industrial business holding company based in St. Louis, Missouri. The company oversees the operations of several subsidiary companies, including Nooter, Nooter Ericksen, Wyatt, and Delta Bundle/Extraction Mechanical. Collectively, CIC Group and its subsidiaries provide engineering and construction services, focusing on solving complexities for clients operating within the energy sector. The company employs more than 708 people and generates approximately $393 million in annual revenue. The data breach incident involved unauthorized access to information that had been entrusted to this corporate entity.

The exposure of personal information, particularly Social Security numbers, significantly increases the risk of identity theft and other fraudulent activities for the affected individuals. Such data breaches can lead to financial losses and other serious consequences for the victims. The company’s response included the investigation and the subsequent notification process, which is a standard step to inform consumers of the potential risks they face. The filing with the Texas Attorney General is a regulatory requirement aimed at providing transparency about security incidents that affect the state's residents. The full scope of the breach beyond the confirmed 1,713 individuals in Texas was not detailed in the available filing. The incident represents a compromise of the data security measures that were in place to protect the sensitive information held by CIC Group, Inc.