Did your risk assessment include what’s in your employees’ email accounts?

Today’s reminder that employee email accounts often contain a ton of personal and sensitive information, and if you cannot figure out what emails or attachments were accessed, you will have one helluva task when it comes to notifications.  From STG International‘s notification:

STG International, Inc. (“STGi”) is providing notice of a recent event that may impact the privacy of certain individuals’ information. We are unaware of any actual or attempted misuse of individuals’ information as a result of this event but are providing details about the event, steps we have taken in response, and resources available to help individuals better protect their information, should they feel it is appropriate to do so.

What Happened? We became aware of suspicious activity related to an employee’s email account and promptly commenced an investigation to determine the nature and scope of the activity. The investigation determined that an email phishing campaign targeted certain employees’ email accounts and resulted in unauthorized person(s) intermittently logging into the accounts between October 22, 2020 and January 12, 2021. However, the investigation was unable to determine which, if any, emails and attachments in the account were viewed by the unauthorized person(s). Out of an abundance of caution, we undertook a thorough review of the accounts’ contents to determine whether they contained any sensitive information.

We recently completed this review and determined, on May 3, 2021, that information related to certain individuals was present in the email account during the relevant time period. We took additional steps to identify address information for individuals and worked to provide notice of this event as quickly as possible.

What Information Was Involved? We cannot confirm if the unauthorized person(s) accessed or viewed any specific information relating to individuals. However, we determined that the information present in the relevant accounts included certain individuals’ names, dates of birth, driver’s license numbers / state identification numbers, financial account information, Social Security numbers, U.S. alien registration numbers, passport numbers, taxpayer identification numbers, employer-assigned identification numbers, payment card information, medical information, health insurance information, and/or online account credentials (i.e. usernames and passwords) Please note that the information varies by individual and for many individuals, a limited number of data types were determined to be accessible.

You can access the full notification on their web site.

About the author: Dissent

Comments are closed.