Cyber Incident Victim: Waste Management
Date:
Jan 2021
Location:
United States of America
Summary
A US waste management firm experienced a cybersecurity incident where an unauthorized actor accessed its network, compromising sensitive healthcare and personal information of current and former employees and their dependents. The breach exposed names, Social Security numbers, financial account details, medical histories, government IDs, passport numbers, and login credentials for electronic accounts. The company detected suspicious activity, initiated an investigation with third-party forensic specialists, and involved law enforcement. No operational disruptions occurred, and additional security safeguards were implemented following the incident. The exposed data's scope and sensitivity drew criticism regarding the necessity of storing such extensive personal information in HR systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 21, 2021, Waste Management Resources detected suspicious activity within its network, prompting an immediate investigation with third-party forensic specialists and notification to the FBI. The investigation revealed unauthorized access occurred between January 21 and 23, 2021, during which an attacker obtained a limited number of files containing highly sensitive employee and dependent healthcare information. The compromised data included names, Social Security numbers, taxpayer identification numbers, government and state ID numbers, driver’s license numbers, dates of birth, bank account numbers, debit and credit card numbers, medical history, treatment information, health insurance details, passport numbers, usernames, email addresses, and passwords for financial electronic accounts. The breach specifically affected individuals who submitted claims to the company’s self-insured health plan, encompassing current and former employees and their dependents. Waste Management Resources did not publicly disclose the incident until approximately six months after its June 21, 2021 discovery date, delaying notification until late 2021. The company confirmed the attacker’s access was confined to its environment during the three-day window and emphasized no business operations were disrupted during or after the incident.
Waste Management Resources advised impacted individuals to monitor their credit reports and implement fraud alerts or credit freezes as protective measures. The company stated it had implemented additional data security safeguards following the breach but did not specify technical or procedural changes. A company spokesperson reiterated Waste Management’s commitment to data security and privacy while acknowledging the incident potentially compromised job application and employment-related information alongside healthcare data. Security experts publicly criticized the breadth of exposed information, questioning the business justification for storing passport numbers and financial account passwords in human resources systems. The breach’s scale and sensitivity drew significant attention due to the comprehensive nature of the stolen personal identifiers, medical records, and authentication credentials, creating substantial risks of identity theft and financial fraud for victims. Waste Management Resources expressed regret for any concerns or inconveniences caused but reported no operational impacts from the incident or its remediation efforts.