Cyber Incident Victim: Westat
Date:
May 2023
Location:
United States of America
Summary
Westat experienced an external system breach involving unauthorized access to its network. The incident compromised the personal information of nearly 8,000 individuals, including their names and Social Security Numbers. The organization discovered the breach approximately three weeks after it occurred. In response, Westat began notifying affected individuals and offered them a complimentary 12-month subscription to credit monitoring and identity protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or about May 29, 2023, Westat, Inc., an organization based at 1600 Research Boulevard in Rockville, Maryland, experienced a breach of its external systems. The incident was characterized as an external system breach resulting from hacking. The unauthorized actor or actors involved in this incident successfully acquired data. The specific information acquired included the names of individuals in combination with their Social Security Numbers. This breach was not discovered immediately upon occurrence. The company discovered that the security incident had taken place nearly a month later, on June 22, 2023.
The total number of persons affected by this data security event was 7,954 individuals. This figure included 65 residents of the state of Maine. Because the number of affected Maine residents was below the 1,000-person threshold, there was no requirement to notify consumer reporting agencies regarding this aspect of the breach. The compromised data types, particularly the combination of name and Social Security Number, are considered highly sensitive personal information. The exposure of such data creates a significant risk of identity theft and financial fraud for the impacted individuals.
Westat's response to the breach involved a formal notification process. The type of notification provided to consumers was written notification. The company began notifying affected individuals on July 21, 2023, which was approximately one month after the discovery of the breach and nearly two months after the breach itself occurred. As part of its commitment to addressing the potential harms caused by the incident, Westat offered identity theft protection services to the affected persons. The company provided these services through the provider IDX. The services included credit monitoring and identity protection, and they were offered for a duration of twelve months at no cost to the recipients.
The breach was reported to the Office of the Maine Attorney General by David Reesman, who held the position of Vice President and General Counsel at Westat. His relationship to the entity whose information was compromised was his corporate role. His contact information, including telephone number and email address, was provided as part of the official submission to the state authorities. The entity was classified as an "Other Commercial" type of organization. A copy of the notice sent to the affected Maine residents was filed with the state under the title "Notice of Data Event - Westat - ME.pdf". The report confirmed that there had been no previous breach notifications submitted by the entity within the twelve months preceding this incident. The compromised data was limited to personal identifiers and Social Security Numbers; no other types of personal information were listed as having been acquired during the breach. The incident serves as an example of the time delay that can exist between a breach occurring and its subsequent discovery by the affected organization, highlighting the ongoing challenges in cybersecurity detection. The response included standard post-breach actions such as consumer notification and the offering of protective services to mitigate potential future harm to the victims.