doTERRA

doTERRA International LLC operates as a provider of essential oils and related wellness products, distributing its offerings through a multi-level marketing model that engages a network of independent distributors alongside direct retail customers. The company is headquartered in the United States, specifically in Utah, and its business structure relies on a combination of individual sales consultants and corporate-driven distribution channels to reach consumers. Its product portfolio centers on therapeutic-grade essential oils, along with accessories and blended products, targeting markets interested in natural health and aromatherapy solutions. The organizational framework emphasizes a consultant-driven sales force, which is a common characteristic of companies in the direct selling sector, though specific details regarding global reach or exact market share are not provided in the available information. The company's operational model inherently involves the collection and management of personal and financial data from both its distributor network and its customer base, a factor that became central to a significant security event.

A documented security incident occurred on April 18, 2016, when a data breach at a third-party hosting provider compromised sensitive information belonging to doTERRA's customers and distributors. The breach exposed a wide array of personal data, including names, Social Security or identification numbers, payment card details, dates of birth, contact information, and account credentials. While the total number of individuals affected nationwide was not publicly disclosed by the company, it confirmed that at least 2,330 residents of New Hampshire were impacted. In response, doTERRA initiated notification procedures for affected individuals and filed reports with multiple state attorney general offices, indicating an effort to comply with data breach disclosure laws. This event highlights a critical dependency on external technology partners for data security and the associated risks when such a provider experiences a compromise. The nature of the exposed data suggests the potential for significant financial and identity theft risks for those affected, underscoring the serious consequences of third-party data management failures for organizations handling sensitive consumer information. The incident remains a key reference point for understanding the company's historical data security posture and its interactions with regulatory bodies following a breach.