Cyber Incident Victim: Andesa Services
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident involving Andesa Services resulted in an external system breach. The unauthorized party acquired the personal information of over thirty thousand individuals, including the names and Social Security Numbers of thirty-eight Maine residents. The breach was discovered immediately and the affected individuals were subsequently offered identity theft protection services, which included credit monitoring, fraud alerts, and insurance coverage for a period of twelve months.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, New York Life Insurance Company discovered a breach of its external systems. The incident was identified as an external system breach resulting from hacking. The unauthorized access occurred over a two-day period, from May 30, 2023, to May 31, 2023. The breach was discovered on the same day it concluded, May 31, 2023. The entity involved was a financial services organization operating from 51 Madison Avenue in New York, NY. The breach notification was submitted to the Maine Attorney General's office by Linda Beebe, who served as Associate General Counsel for New York Life Insurance Company.
The investigation determined that the breach impacted a total of 30,167 individuals. This figure included 38 residents of the state of Maine. The compromised information consisted of a personal identifier, specifically an individual's name, in combination with their Social Security Number. The acquisition of this highly sensitive data presented a significant risk of identity theft and financial fraud for the affected individuals.
In response to the incident, New York Life Insurance Company undertook a notification process for all impacted consumers. The company elected to use written notification as its method of communication. The mailing of these notifications to affected individuals occurred on October 23, 2023, approximately five months after the breach was discovered. The notice sent to Maine residents was documented under the file name EXPERIAN_Job42811d22_AndesaServices.pdf, indicating a connection to a service provider named Andesa Services.
Furthermore, the company offered identity theft protection services to the individuals whose information was acquired. The provider of these services was Experian IdentityWorks. The offering included a comprehensive suite of features designed to mitigate the risk of identity theft. These features provided affected persons with a copy of their Experian credit report, active monitoring of their Experian credit file for any indicators of fraud, access to identity restoration specialists, and identity theft insurance coverage of up to $1 million. The duration of these protection services was set for a period of 12 months.
This incident was not the first breach notification issued by New York Life Insurance Company within a twelve-month period. The submission to the Maine Attorney General's office listed three previous breach notifications that had occurred on August 10, 2023, August 11, 2023, and August 21, 2023. The filing did not provide specific details regarding the nature or scope of those prior incidents, only confirming they had been reported to authorities. The breach involving Andesa Services was therefore part of a series of security incidents affecting the company during that timeframe. The compromise of Social Security numbers combined with names represented a severe data exposure due to the permanent nature of this identifier and its critical role in financial and legal transactions.