Cyber Incident Victim: Endue Software
Date:
Feb 2025
Location:
United States of America
Summary
Endue Software experienced a cybersecurity incident involving unauthorized access to internal systems during a brief period, resulting in the copying of files containing sensitive personal information. The compromised data included individuals' full names, addresses, Social Security numbers, dates of birth, and medical record numbers. The company secured its environment upon detecting the activity and initiated an investigation to determine the scope of the breach. While no identity fraud has been confirmed as stemming from the incident, notification letters are being mailed to potentially affected individuals whose protected information was identified in the accessed files.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 17, 2025, Endue Software detected potential unauthorized access to certain internal systems, prompting an immediate investigation and system security measures. The investigation confirmed a cybersecurity event occurred on February 16, 2025, during which an unauthorized actor briefly accessed Endue's systems and copied files from specific internal repositories. Endue initiated a comprehensive review of the compromised files to identify affected individuals and determine the scope of sensitive information involved. The company determined the incident exposed personal information provided to Endue by its clients, though no evidence of identity fraud or attempted misuse was identified at the time of disclosure. Impacted data elements varied by individual but included full names, addresses, Social Security numbers, dates of birth, and medical record numbers. Endue secured its environment upon discovery and engaged in forensic analysis to establish the intrusion timeline and data exposure parameters.
Endue began mailing notification letters to affected individuals with valid address information starting April 11, 2025, approximately two months after detecting the breach. The company established a dedicated assistance line (1-833-998-5748) and postal correspondence address (29 North Street, Unit A, Portland, ME 04101) for inquiries regarding the incident. Impacted parties were advised to review guidance from the Federal Trade Commission and major credit bureaus—Equifax, Experian, and TransUnion—regarding credit monitoring options. The notice outlined legal rights available to U.S. consumers, including free credit reports, fraud alerts, and credit freezes, while specifying documentation requirements for implementing these protections. Endue confirmed the disclosure timeline complied with legal requirements and was not delayed by law enforcement investigations. The company did not disclose the number of affected individuals, specific clients involved, or technical details regarding the attack methodology in its public notification.