Cyber Incident Victim: Genesis Energy

On or around May 30, 2023, Genesis Energy, L.P., a commercial entity based at 811 Louisiana Street, Suite 1200, in Houston, Texas, experienced a data security incident. The breach was not discovered internally by the company but was identified two days later on June 1, 2023. The nature of the incident was an external system breach, specifically categorized as hacking. The root cause was attributed to a vulnerability present within a third-party software product utilized by the organization. This vulnerability provided the pathway for unauthorized external actors to gain access to the company's systems and acquire sensitive information.

The compromised data consisted of personal identifiers, specifically the names of individuals in combination with their Social Security Numbers. The breach had a significant scope, impacting a total of 8,140 individuals. Among this affected population, 31 were identified as residents of the state of Maine. The breach notification filed with the Maine Attorney General’s office confirmed that the number of impacted Maine residents did not exceed 1,000; therefore, there was no regulatory requirement to notify consumer reporting agencies about the incident as it pertained specifically to that state's reporting threshold.

In response to the incident, Genesis Energy, L.P. engaged an outside law firm, Littler Mendelson, P.C., to manage the regulatory and consumer notification process. The submission to state authorities was handled by Phillip Gordon, a shareholder at the firm, acting on behalf of Genesis Energy. The company decided to provide written notification to all affected individuals. These formal notices were dispatched to consumers on June 30, 2023, approximately one month after the breach occurrence and within the same month it was discovered.

As a component of its response, Genesis Energy offered complimentary identity theft protection services to all persons whose information was acquired in the breach. The protection services consisted of a 36-month membership in NortonLifeLock’s “LifeLock Defender™ Preferred” product. This service package was designed to mitigate potential future harm to the victims by providing a suite of protective tools. These tools included continuous credit monitoring services to alert individuals to changes in their credit reports, fraud detection tools to identify suspicious activity, dark web monitoring to scan for exposed personal information, and access to identity restoration services should a consumer become a victim of identity theft. The offering of these services was a direct remedial action taken to address the exposure of highly sensitive Social Security Numbers.

The incident was formally reported to the Office of the Maine Attorney General as required by state law due to the impact on Maine residents. The filing provided a detailed account of the event, including the date of occurrence, the date of discovery, the nature of the breach, the specific type of personal information involved, and the total number of individuals affected both nationally and within the state. The submitted documentation included a copy of the template used for the individual consumer notification letters. The report did not indicate that Genesis Energy had experienced any previous breach notifications within the twelve months preceding this event. The response actions focused on consumer notification and the provision of protective services, with the technical containment measures related to the third-party software vulnerability not being detailed in the public regulatory filing.