Cyber Incident Victim: CLEAResult Consulting Inc.

On or around May 30, 2023, CLEAResult Consulting Inc. experienced an external system breach. The incident, which was identified as a hacking event, was discovered the following day on May 31, 2023. The company, an energy efficiency program administrator operating from 6504 Bridge Point Parkway, Suite 425, in Austin, Texas, determined that unauthorized individuals had gained access to its systems and acquired sensitive personal information. The specific technical methods used by the threat actors to infiltrate the network were not detailed in the public notification.

The compromised information included a combination of personal identifiers and financial data. Specifically, the acquired data consisted of names paired with financial account numbers or credit and debit card numbers. Furthermore, these financial details were compromised in combination with their corresponding security codes, access codes, passwords, or PINs for the accounts. This combination of data elements significantly increased the potential risk of fraud and financial misuse for the impacted individuals. The total number of persons affected by this security incident was 12,723, which included residents from various jurisdictions. Of this total, seven individuals were identified as residents of the state of Maine.

The breach response was managed by legal counsel, with Donna Maddux, a Partner at the law firm Constangy, Brooks, Smith & Prophete, LLP, acting as the submitting agent for the official breach notification to the Maine Attorney General's office. The firm's contact information was provided for official correspondence regarding the incident. The process of determining the full scope of the breach and identifying all affected individuals commenced immediately upon discovery.

CLEAResult opted to provide written notification to all consumers whose information was involved in the incident. The company did not immediately notify consumers upon discovery; the mailing of written notices to affected Maine residents occurred nearly three months later on August 23, 2023. A copy of the notice sent to residents was filed with the regulatory authority. The company confirmed that no separate breach notifications had been issued within the twelve months preceding this incident.

As a remedial measure, CLEAResult offered comprehensive identity theft protection services to all impacted individuals. The company engaged IDX to provide these services, which included credit monitoring, identity monitoring, and dark web monitoring for a duration of twenty-four months. The offering also included a fraud reimbursement policy with coverage of up to one million dollars and access to a dedicated call center for support and assistance. This provision was intended to help detect and mitigate potential misuse of the stolen information. The offering of such services is a common practice intended to help protect consumers from identity theft following the exposure of sensitive personal and financial data. The compromise of financial authentication credentials presents a direct risk of unauthorized transactions and account takeover attempts. The company's response included these measures to address the immediate risks posed by the data exposure. The incident was formally reported to the relevant authorities in accordance with state legal requirements.