Cyber Incident Victim: Conner Strong & Buckelew
Date:
Feb 2022
Location:
United States of America
Summary
An insurance brokerage experienced a data breach when unauthorized actors compromised several employee email accounts, accessing confidential consumer information contained within emails and attachments. The company secured the affected accounts, initiated an investigation with third-party cybersecurity experts, and confirmed that sensitive data was exposed. Impacted individuals received notification letters detailing the compromised information, though the specific data types involved were not publicly disclosed. The incident stemmed from unauthorized access to corporate email systems over a multi-week period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Conner Strong & Buckelew (CSB), an insurance brokerage and consulting firm based in Camden, New Jersey, experienced a data breach involving unauthorized access to several employee email accounts. The company detected unusual activity within these accounts and subsequently secured them while initiating an investigation with third-party data security specialists. Forensic analysis confirmed that an unauthorized actor had compromised the email accounts between February 7, 2022, and March 30, 2022. During this period, the intruder gained access to emails and attachments stored within the affected accounts, some of which contained confidential consumer information. CSB did not publicly specify the exact data types exposed but acknowledged that sensitive consumer data was accessible to the unauthorized party. The firm undertook a review of the compromised files to identify impacted individuals and the nature of their exposed information. On May 10, 2023—over a year after the breach window—CSB filed a notice with the Vermont Attorney General and began mailing individualized data breach notification letters to affected consumers. These letters detailed the specific information compromised for each recipient.
The breach stemmed from compromised employee login credentials, though CSB did not disclose how the credentials were obtained or whether multi-factor authentication was in place. The incident exposed data belonging to consumers whose information was held by third-party entities that had shared it with CSB, making this a third-party data breach. CSB’s investigation did not reveal evidence of intentional misuse of the accessed data at the time of notification. The company operates multiple offices across the eastern United States, employing over 500 people with annual revenues of approximately $408 million. The delayed disclosure timeline—13 months between the breach containment and public notification—reflects the duration required for internal investigation and data review. No ransomware involvement, data destruction, or financial theft was cited in the Vermont Attorney General filing. The breach notifications aimed to inform consumers about potential exposure risks while CSB maintained its operational continuity without reporting service disruptions or additional corrective measures beyond securing the affected accounts.