Cyber Incident Victim: Spencer Gifts

The Spencer Gifts cyber incident occurred between November 24 and November 26, 2021, when unauthorized individuals gained access to the company’s network. The breach was detected on November 25, 2021, prompting immediate action to secure the network by the following day. An investigation confirmed that attackers potentially viewed or obtained files containing protected health information belonging to 10,023 members of Spencer Gifts’ health and welfare benefits plan. The compromised data included names, Social Security numbers, and plan selection details. No evidence suggested broader customer transaction data or retail systems were affected, as the breach specifically targeted employee benefits plan information. The intrusion window was limited to the three-day period before containment.

Spencer Gifts began notifying affected individuals via mailed letters starting January 24, 2022, approximately two months after detecting the breach. The company offered complimentary identity theft monitoring services to impacted plan members, though specific vendor details were not disclosed in notifications. Internally, Spencer Gifts initiated a review of existing security policies and procedures following the incident. The organization committed to implementing additional electronic security features to prevent future breaches, though technical specifics were not publicly elaborated. No disruptions to retail operations or customer-facing services were reported as a direct consequence of the incident. The breach exclusively impacted participants in the company-sponsored health plan, with no mention of ransomware involvement or financial demands in available disclosures.