Business services provider Morley Companies Inc. disclosed a data breach after falling victim to a ransomware attack on Aug. 1, 2021, according to a security incident notification by the company on Wednesday.
The data breach allowed hackers to steal data before the company was able to encrypt the files, which impacted more than 500,000 individuals, including Morley’s employees, contractors, and clients.
Morley is a US company that offers business services to Fortune 500 and Global 100 firms, including meeting management, back-office processing, contact centers, the creation of trade show exhibits, and more.
In notifications released on Tuesday and Wednesday, Morley Companies stated that it suffered a ransomware attack this past summer, which prevented the company from accessing its data.
“As a result, Morley learned that additional data may have been obtained from its digital environment,” explained Morley in the security incident notification. “Morley thereafter began collecting contact information needed to provide notice to potentially affected individuals, which was completed in early 2022.”
According to the announcement, the threat actors also may have stolen clients’ full name, social security number, date of birth, client ID number, medical diagnostic and treatment information, and health insurance information.
While the firm’s investigation hasn’t found any malicious use of the stolen information, Morley said that it will cover the cost of 24 months of identity theft protection services through IDX for all impacted individuals.
Morley said that they contracted a cybersecurity specialist to help them understand why they could no longer access their files.
Upon learning about the ransomware attack, they collaborated with cybersecurity experts to analyze the evidence and determine all impacted parties.
“Special programming was required and unique processes had to be built in order to begin analyzing the data. The data complexity also required special processes to search for and identify key information,” explains a notification that was filed with Maine’s Office of the Attorney General.
“This process was lengthy but necessary to ensure appropriate notification occurred. On January 18, 2022, it was confirmed that your information was involved. Importantly, Morley Companies is not aware of any misuse of your personal information due to this incident.”
However, the cyber-intelligence platform HackNotice claims to have seen Morley’s sensitive data on the dark web last week.