Cyber Incident Victim: Retail Capital

On March 17, 2015, unauthorized individuals gained access to a Retail Capital sales manager’s electronic mailbox for approximately 40 minutes, locking the employee out during this period. The compromised mailbox contained funding applications and supporting documentation submitted by applicants seeking capital from the Michigan-based company. Intruders potentially accessed the personal information of 741 individuals, including names, business addresses, Social Security numbers, driver’s license numbers, and bank account numbers or statements. Retail Capital detected the intrusion promptly, though the specific method of detection was not disclosed. The breach was confined to this single mailbox, with no evidence suggesting compromise of other employee accounts or corporate systems. The attackers’ actions were limited to the mailbox access window, with no confirmed exfiltration or misuse of data identified during the incident.

Retail Capital reestablished control over the mailbox following the 40-minute intrusion and implemented enhanced security procedures to prevent recurrence, though technical specifics were not detailed in notifications. The company initiated breach notifications to all potentially affected individuals, advising them of the exposure risks to their sensitive financial and identification data. As remediation, Retail Capital offered complimentary identity theft protection coverage for two years to impacted parties. New Hampshire’s breach notification documented the company’s acknowledgment that no specific evidence confirmed actual access to or theft of personal data during the incident. The disclosure emphasized the transient nature of the breach while maintaining compliance with state regulatory requirements through direct individual notifications and official filings.