Cyber Incident Victim: Livingston International

On April 24, 2023, Livingston International, Inc. filed a notice of data breach with the Texas Attorney General. The filing confirmed that an unauthorized party had gained access to confidential consumer information entrusted to the company. The company determined that the incident resulted in the exposure of consumers' sensitive personal data. The specific details regarding the exact date of the initial unauthorized access or the date of discovery were not disclosed in the public filing. The available information did not clarify whether the security breach occurred within Livingston International's own systems or if it originated at a third-party vendor that provided services to the company.

Upon discovering that sensitive consumer data had been accessed by an unauthorized party, Livingston International initiated a review of the affected files. The purpose of this review was to determine the specific scope of the compromised information and to identify which consumers were impacted by the security incident. The investigation confirmed that the breached information varied from individual to individual but included a range of highly sensitive personal identifiers. The compromised data types consisted of consumers' names, addresses, Social Security numbers, driver's license numbers, and financial account information.

The completion of the internal review allowed Livingston International to confirm the individuals affected and to prepare for consumer notification. On April 24, 2023, the same day as the filing with the Texas Attorney General, the company began sending out data breach notification letters to all individuals whose information was compromised as a result of the recent data security incident. These letters served to inform consumers that their personal data had been exposed and was potentially in the possession of an unauthorized actor. The notification process was a direct response to the confirmed leak of consumer data.

Livingston International, Inc. is an international customs broker based in Toronto, Canada. The company was founded in 1945 and provides a suite of services including international trade consulting, global trade management, freight forwarding, and other logistics services to customers worldwide. In 2019, the company was acquired by the global investment firm Platinum Equity. At the time of the incident, Livingston International employed more than 2,900 people and generated approximately $947 million in annual revenue. The breach impacted information related to consumers who had entrusted their data to the company, though the specific number of affected individuals was not disclosed in the initial filing.

The primary impact of the incident was the unauthorized access and exposure of highly sensitive personal information. The leakage of Social Security numbers and driver's license numbers significantly increases the risk of identity theft for the affected consumers. The compromise of financial account information further elevates the potential for financial fraud and other malicious activities. The exposure of names and addresses in conjunction with the other data elements provides criminals with sufficient information to carry out targeted phishing campaigns, attempts to open new lines of credit, or other forms of impersonation.

The company's public response was characterized by its compliance with regulatory requirements, specifically through its filing with the Texas Attorney General. This action formally acknowledged the breach to a government authority. The subsequent mailing of individual data breach notification letters constituted the company's direct response to the affected consumers. These steps are consistent with standard procedures following the confirmation of a data security incident. No further details regarding technical containment measures, such as system isolation or password resets, or any investigation into the threat actor were provided in the available source material. The public notice on the Texas Attorney General's website contained limited information, and the company had not yet posted a notice of the breach on its own corporate website at the time the filing was made.