Cyber Incident Victim: Morley

On August 1, 2021, Morley Companies Inc., a U.S.-based provider of business services to Fortune 500 and Global 100 clients, experienced a ransomware attack that compromised its digital environment. The incident rendered company data unavailable following file encryption by threat actors, who also exfiltrated sensitive personal information prior to deploying ransomware. Morley disclosed the breach in February 2022 after completing an investigation that determined unauthorized access to data belonging to 521,046 individuals, including employees, contractors, and client personnel. The compromised information encompassed full names, Social Security numbers, dates of birth, client ID numbers, medical diagnostic and treatment details, and health insurance information. The company acknowledged that attackers obtained this data from its systems but found no evidence of malicious use during their investigation.

Morley initiated response measures by engaging cybersecurity specialists to analyze the breach scope and employed unique data analysis methods to identify affected parties. Notification letters were prepared throughout late 2021, with contact information collection finalized by early 2022 to inform impacted individuals. The company offered all victims 24 months of complimentary identity theft protection services through IDX, including enrollment instructions distributed via mailed notifications. While the attack disrupted Morley’s operations through data unavailability, the primary impact centered on potential identity theft risks for those whose personal and medical information was stolen. The incident highlighted secondary exposure risks for employees of Morley’s corporate clients, though specific client names or contractual consequences remained undisclosed in public statements.