Cyber Incident Victim: Appriss
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident at The Vitality Group, LLC resulted from a compromise of a third-party software application, Progress Software's MOVEit. This external system breach exposed the personal information of over 700 individuals, including one Maine resident. The types of data acquired included names combined with Social Security Numbers. The entity offered affected individuals 24 months of credit monitoring and identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 30, 2023, a data breach occurred involving The Vitality Group, LLC, a commercial organization based at 120 S. Riverside Plaza, Suite 400, in Chicago, Illinois. The incident was not discovered by the organization until two days later, on June 1, 2023. The breach was not the result of a direct intrusion into the company's own internal systems but was instead caused by a compromise of third-party software. Specifically, the breach was attributed to an external system breach, or hacking, involving Progress Software Corporation's MOVEit file transfer tool. This software compromise served as the attack vector that enabled unauthorized access to the organization's data.
The breach resulted in the personal information of 705 individuals being acquired by an unauthorized actor. This total included one resident of the state of Maine. The specific type of information exposed in the incident was limited to an individual's name or other personal identifier in combination with their Social Security Number. The compromise did not extend to other types of sensitive data such as financial account information, payment card details, or medical records, based on the information provided in the official notification.
The legal representation for The Vitality Group, LLC, in this matter was provided by the firm Taft Stettinius & Hollister LLP. An attorney from this firm, Zenus Franklin, acting as outside counsel, submitted the official data breach notification to the relevant authorities. The contact information provided for this submission included a telephone number and an email address. The notification was formally filed with the Office of the Maine Attorney General, specifically within the Consumer Protection division's section for Privacy, Identity Theft and Data Security Breaches.
In response to the breach, The Vitality Group, LLC, elected to provide affected individuals with identity theft protection services. The company engaged Experian to provide these services, which included credit monitoring and identity theft protection. The offered services were to last for a duration of twenty-four months. This offering was extended to all 705 affected individuals, including the single Maine resident.
The method of notification to the consumers was conducted via written notice. The company did not initiate immediate notification upon discovery; the process of informing affected individuals began on July 17, 2023, which was over six weeks after the breach was discovered and nearly seven weeks after the breach itself occurred. A copy of the notice that was sent to the affected Maine resident was included as an attachment with the filing, titled "L25 Appriss final.pdf". The entity reported that there had been no previous breach notifications submitted within the twelve months preceding this incident. Because the total number of affected Maine residents was only one, which is significantly below the threshold of 1,000, there was no requirement to notify the consumer reporting agencies about the event. The official filing and public record of this incident serve as the primary documentation of its occurrence and the organizational response.