Cyber Incident Victim: CWT Travel

On May 31, 2023, Progress Software Corp. publicly disclosed zero-day vulnerabilities impacting the MOVEit Transfer tool. CWT Travel Holdings, Inc. was a user of this tool. Upon learning of the vulnerabilities, the company moved quickly to apply available patching and undertook recommended mitigation steps. CWT promptly launched an investigation with the assistance of third-party cybersecurity specialists to determine the potential impact of the vulnerabilities' presence on the security of data housed on its MOVEit Transfer server. The ongoing investigation determined that an unknown actor exploited the vulnerabilities and accessed the MOVEit Transfer server between May 28, 2023, and May 29, 2023. During this time, the actor exfiltrated certain data from the server.

CWT subsequently undertook a time-consuming and detailed review of the data stored on the server at the time of the incident to understand its contents and to whom the data related. This review process was necessary to identify the specific individuals affected and the types of their personal information that were involved. On August 2, 2023, the company completed this review for specific individuals and learned that data related to them was present on the impacted server at the time of the event. The types of personal information identified in the exfiltrated data included individuals' names.

Upon discovering the incident, CWT took immediate steps to investigate. The company notified state and industry regulators as required and also informed law enforcement of the incident. As an added precaution for the affected individuals, CWT offered complimentary access to 24 months of credit monitoring services through Experian. Individuals were required to enroll themselves in these services by December 31, 2023, as the company could not activate them on their behalf. The services included features such as an Experian credit report at signup, daily credit monitoring of files at Experian, Equifax, and TransUnion for indicators of fraud, identity restoration support, and $1 million identity theft insurance underwritten by American Bankers Insurance Company of Florida.

The company established a dedicated assistance line for affected individuals to call with questions, available Monday through Friday from 9 am to 11 pm EST and Saturday and Sunday from 11 am to 8 pm EST, excluding major U.S. holidays. Individuals could also write to a designated mailing address in Minnetonka, Minnesota. CWT encouraged individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor free credit reports for suspicious activity and errors. The notice provided instructions on how to obtain free annual credit reports and detailed the rights of consumers to place fraud alerts or credit freezes with the three major credit reporting bureaus at no cost.

The incident notice included specific information for residents of certain states, including the District of Columbia, Maryland, New Mexico, New York, North Carolina, and Rhode Island. It was noted that there were four Rhode Island residents impacted by this incident. The notice confirmed that its dissemination was not delayed by law enforcement. The company sincerely apologized for the incident and expressed regret for any inconvenience it may have caused, reiterating its commitment to safeguarding information.