Cyber Incident Victim: Datasite LLC

On June 27, 2023, Datasite, a software development company based in Minneapolis, Minnesota, filed a notice of data breach with the Attorney General of Massachusetts. This filing formally announced that the company had experienced a third-party data security incident. The notice indicated that the breach resulted in an unauthorized party gaining access to consumers' sensitive personal information. The specific types of information exposed included names and Social Security numbers. The incident did not originate within Datasite's own IT systems but rather occurred at an unnamed third-party vendor used by the company.

The breach was connected to a wider series of cyberattacks. Several weeks prior to the official filing, the hackers responsible for the MOVEit data breach had listed Datasite as one of their victims. This connection strongly suggests, though was not definitively confirmed in the initial notice, that the Datasite incident was one of the many breaches involving the MOVEit file transfer application developed by Progress Software. The MOVEit vulnerability provided a vector for attackers to infiltrate the systems of numerous organizations that utilized the software.

Upon discovering that sensitive consumer data had been made accessible to an unauthorized entity, Datasite initiated a review of the compromised files. This process was undertaken to determine the precise nature of the information that was leaked and to identify which specific consumers were impacted by the event. The investigation confirmed that the breached information varied from individual to individual, but for all affected persons, it included their name and Social Security number. The compromise of Social Security numbers is particularly significant due to the high risk of identity theft and financial fraud associated with such exposure.

Following its internal review, Datasite took action to notify affected individuals and regulators. The company fulfilled its legal obligation by submitting the notice to the Massachusetts Attorney General on June 27, 2023. In addition to this regulatory filing, Datasite began the process of directly informing victims. The company stated that consumers affected by the third-party data breach should expect to receive data breach notification letters by mail. These letters were intended to explain more details about the incident to those whose information was compromised.

Datasite is a provider of software as a service (SaaS) operating primarily in the mergers and acquisitions industry. The company has a substantial global footprint, reporting operations in 180 countries and involvement in over 100,000 facilitated transactions. With more than 1,000 employees and annual revenue of approximately $270 million, the company represents a significant entity within its sector. The breach incident highlights the growing trend of third-party data breaches where attackers target vendors and service providers rather than the primary company itself, thereby gaining access to the data of their clients' customers.

The immediate consequence of the breach was the exposure of highly sensitive personal data, placing affected consumers at a heightened risk of identity theft and various forms of financial fraud. The incident underscores the systemic risks associated with relying on third-party vendors for data processing and storage, as a vulnerability in one vendor's system can lead to a data compromise affecting numerous downstream companies and their customers. The response from Datasite involved the standard post-breach actions of investigation, regulatory notification, and individual consumer notification as required by law.