Cyber Incident Victim: Frank J. Martin Company

In September 2015, Frank J. Martin Company issued notifications to customers who had made purchases through its Padlocks4Less website, warning that their personal and payment card information may have been accessed without authorization. The FBI alerted the company to the potential compromise after discovering that credit card data used on the site could have been exfiltrated between June 3 and August 26 of that year. The breach exposed customers’ names, addresses, phone numbers, email addresses, and payment card details, though the exact number of affected individuals remained undisclosed. The company stated it had no evidence confirming fraudulent use of the compromised data at the time of notification. The unauthorized access occurred over an 11-week period, but the specific methods used to infiltrate the website or the identity of the threat actors were not publicly identified.

Frank J. Martin Company responded by taking the Padlocks4Less website offline immediately upon discovering the potential breach. The company implemented unspecified security measures designed to prevent future incidents and cooperated with the FBI’s ongoing investigation. Notifications were sent to all potentially affected customers by September 22, 2015, as documented in a Vermont government publication. The company’s communication emphasized proactive containment but did not disclose technical details about the compromise vector, remediation steps, or forensic findings. The FBI’s involvement remained active at the time of the September 25 media report, with no public resolution or attribution provided.