Cyber Incident Victim: DePaul Industries
Date:
Feb 2019
Location:
United States of America
Summary
A phishing attack compromised a single employee's email account at DePaul, potentially exposing information from approximately 41,000 behavioral health program clients. While most affected emails lacked significant medical or identity theft-related data, a small subset contained sensitive details including full names, dates of birth, and Social Security numbers. The organization notified impacted individuals and offered one year of credit monitoring services to those whose Social Security numbers were exposed. Following discovery of the incident, the email account was secured and staff received additional anti-phishing training to prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 1, 2019, DePaul, a local housing and health provider, discovered a potential data breach involving a single employee’s compromised email account. The organization immediately secured the affected account upon detection and initiated an internal investigation to assess the scope of the incident. The investigation determined the breach resulted from a phishing scam, where an external actor obtained the employee’s email credentials to send unauthorized communications. DePaul reviewed over 41,000 emails contained within the compromised account as part of their forensic analysis. While the majority of these emails lacked significant medical details or identity theft-sensitive data, a small percentage contained personally identifiable information of clients in DePaul’s behavioral health program. Exposed data elements included individuals’ full names, dates of birth, and Social Security numbers in some cases. The organization confirmed the attacker’s intent centered on credential misuse for email distribution rather than systemic data exfiltration. DePaul implemented additional staff training on phishing identification and avoidance following the incident.
The breach impacted 41,000 behavioral health program clients whose information was present in the reviewed emails. DePaul mailed individual notification letters to all affected parties on March 29, 2019, approximately seven weeks after initial detection. For those whose Social Security numbers were exposed, the organization offered complimentary credit monitoring services for one year. A dedicated toll-free number (833-888-4248) was established for inquiries about information exposure and enrollment in credit monitoring. DePaul advised all notified individuals to monitor financial accounts, credit reports, and insurance statements for signs of fraud or identity theft. The organization emphasized its existing security policies and procedures while acknowledging the breach in public statements. No ransomware deployment, financial theft, or secondary system compromises were reported in connection with the incident. Remediation efforts focused exclusively on the single compromised email account and its contents.