Cyber Incident Victim: Creative Services, Inc.

On November 26, 2021, Creative Services, Inc. (CSI), a Massachusetts-based background check and security consulting firm operating for 45 years, detected suspicious activity on its computer systems. Subsequent investigation revealed an unauthorized individual had accessed the company's network and potentially copied files spanning November 2018 through November 2021. By late January 2022, forensic analysis confirmed the compromise of personal identifying information belonging to CSI's clients, including names, dates of birth, financial account numbers, Social Security numbers, and driver's license numbers. The breach impacted approximately 164,673 individuals whose data resided in the accessed files. This incident occurred just two months after CSI notified over 1,000 individuals about a separate unauthorized access event involving their PII, though no direct connection between the two breaches was specified in available documentation.

In February 2022, CSI initiated mailed notifications to affected individuals and offered 24 months of complimentary credit monitoring, fraud consultation, and identity theft restoration services. The company acknowledged the breach in a privacy incident notice, stating it took the event seriously and was implementing enhanced security measures despite having existing safeguards. By March 2022, four parallel class-action lawsuits were filed against CSI in federal courts, including one by New York plaintiff Santos Acosta. The suits collectively alleged CSI failed to implement adequate security measures to protect sensitive PII, specifically citing insufficient data encryption practices and negligent cybersecurity policies. Plaintiffs contended these deficiencies enabled the breach and exposed individuals to identity theft risks, with Acosta's filing asserting CSI acted recklessly by not maintaining reasonable safeguards for the background check data it collected.