Cyber Incident Victim: MasterCorp, Inc.

On March 31, 2023, MasterCorp, Inc. determined that an unauthorized party may have gained access to its computer network. This discovery prompted the company to immediately take steps to contain the threat. Following containment, MasterCorp launched a comprehensive investigation into the incident. This investigation was conducted with the assistance of third-party data security specialists. The primary goal of the investigation was to determine the nature and scope of the incident and to identify what, if any, consumer data had been compromised as a result of the unauthorized access.

The investigation confirmed that the unauthorized access to the MasterCorp computer network occurred over a two-day period, specifically between March 30, 2023, and March 31, 2023. During this window, the unauthorized party was able to successfully access the network. The forensic analysis further revealed that the threat actor removed certain files and folders from the MasterCorp network. These files contained confidential consumer information, indicating that the incident constituted a data breach.

Upon confirming that sensitive consumer data had been accessed and acquired by an unauthorized party, MasterCorp began a detailed review of the affected files. This process was necessary to determine the specific types of information that had been compromised and to identify the individuals whose data was involved. The company's review concluded that the breached information varied from individual to individual but consistently included names and Social Security numbers. The compromise of this highly sensitive personally identifiable information significantly increased the risk of identity theft and other fraudulent activities for the affected consumers.

Approximately two months after the initial discovery, on May 30, 2023, MasterCorp, Inc. filed an official notice of data breach with the Attorney General of Vermont. This filing served as a formal acknowledgment of the incident to a government authority. Concurrently, MasterCorp began the process of sending out individualized data breach notification letters to all persons whose information was determined to have been compromised as a result of the security incident. These letters were intended to inform the impacted consumers about the breach and the specific data elements that were exposed.

MasterCorp, Inc. is a substantial hospitality services business based in Crossville, Tennessee. Founded in 1981, the company provides housekeeping, janitorial, floor care, engineering, laundry, and specialty services to a wide range of industries. Its client base includes healthcare facilities, hotels and resorts, educational facilities, multi-tenant office buildings, retail stores, warehouses, and financial institutions. The company serves over 300 business clients across the nation. With more than 1,000 employees and an annual revenue of approximately $218 million, the breach impacted a significant corporate entity within the service sector. The incident involved the company's internal computer network, which housed files containing the personal data of consumers. The unauthorized access and exfiltration of files from this network system directly led to the data compromise. The confirmed impact of the cyberattack was the exposure of consumers' names and Social Security numbers. The company's response actions included immediate threat containment, a forensic investigation with external specialists, a manual review of compromised files, regulatory filing with the Vermont Attorney General, and direct consumer notification via mailed letters.