Cyber Incident Victim: Service By Medallion

Service By Medallion, Inc. (“SBM”) detected unusual activity in an employee’s email account on January 5, 2022, prompting immediate server security measures and an internal investigation. The investigation revealed unauthorized access to the compromised email account had begun earlier, on August 21, 2021, and persisted until January 16, 2022. During this five-month period, the intruder potentially accessed sensitive consumer information stored within the email account. SBM’s forensic review confirmed the exposed data included individuals’ names and Social Security numbers, though the specific details varied by affected party. The company undertook a comprehensive file review to identify all impacted consumers and the scope of compromised information. On August 16, 2022, SBM formally reported the breach to the California Attorney General and initiated notification letters to affected individuals.

Founded in 1978, the Mountain View-based facility maintenance company provides janitorial services, temporary staffing, and construction support with over 209 employees and $122 million annual revenue. The breach notification did not disclose the exact number of affected individuals but confirmed the exposure of personally identifiable information critical to identity theft risks. While SBM’s public statements attributed the breach to unauthorized email account access, they did not confirm the intrusion method, leaving phishing as an unverified potential vector based on industry attack prevalence statistics. The company’s response included securing systems upon detection, investigating the incident timeline and data exposure, and fulfilling regulatory notification obligations seven months after initial detection. No additional attacker motives, data misuse evidence, or post-breach consumer fraud incidents were disclosed in the available filing.