Cyber Incident Victim: Mitsubishi Chemical America, Sporting Goods Division

On May 20, 2023, Mitsubishi Chemical America Inc. discovered that a security breach had occurred the previous day, May 19, 2023. The incident was identified as an external system breach resulting from hacking. The unauthorized actor successfully acquired a limited set of personal information. The specific information acquired consisted of an individual's name or other personal identifier in combination with their financial account number or credit/debit card number. Furthermore, this financial data was acquired in combination with the account's security code, access code, password, or PIN, representing a significant compromise of sensitive authentication credentials.

The total number of individuals affected by this breach was 264. This figure included a single resident of the state of Maine. Due to the relatively small scale of the incident, specifically because the number of affected Maine residents was well below the 1,000-person threshold, the company was not required to and did not notify consumer reporting agencies of the breach. The compromised data was highly sensitive, given that it included the necessary details for unauthorized financial transactions.

In response to the incident, Mitsubishi Chemical America Inc. engaged legal counsel. The company's response was managed by Charles Westerhaus, an attorney, who acted as counsel for the entity whose information was compromised. The formal breach notification to the Office of the Maine Attorney General was submitted from his office. The company decided to offer comprehensive identity theft protection services to all affected individuals. The services were provided by Experian through its IdentityWorks program. These services included an initial Experian credit report available at signup, allowing individuals to review the information associated with their credit file. The offering featured active credit monitoring that scrutinized credit files at all three major bureaus: Experian, Equifax, and TransUnion, for any indicators of fraud.

Furthermore, the protection services included full identity restoration support, with specialists made immediately available to assist victims with both credit-related and non-credit-related fraud issues. A notable feature called Experian IdentityWorks ExtendCARE guaranteed that individuals would continue to receive the same high level of identity restoration support even after their two-year membership period concluded. The offering was also backed by identity theft insurance providing coverage of up to $1 million for certain costs and reimbursements for unauthorized electronic fund transfers. The company committed to providing these extensive services for a duration of 24 months to all 264 affected persons.

The method of notification to consumers was written correspondence. The company dispatched these written notices to all affected individuals on July 19, 2023. This date marked exactly two months after the breach was discovered and sixty days after the breach itself occurred. The notice provided a detailed account of the incident, the specific information involved, and a full description of the protective services being offered. A copy of this notice, titled "MCA Notice of Breach.docx," was provided to the Maine Attorney General's office as part of its regulatory filing. This was the only breach notification submitted by the entity within a twelve-month period, indicating no previous recent incidents. The address of record for Mitsubishi Chemical America Inc. is 655 Third Avenue, 12th Floor, New York, New York, 10017, and it is classified as an Other Commercial organization. The breach impacted the company's Sporting Goods Division, though the specific systems targeted or the exact method of hacking were not detailed in the public notification. The response focused on consumer protection and regulatory compliance following the confirmed compromise of financial data.