So this is interesting. HBO is sending out breach notification letters related to their breach in May that was disclosed back in July. But to whom are the notifications going? Employees? Customers? Both? And why did it take so many months for notifications to be sent?
From their notification letter, copies of which are now appearing on various state attorneys general sites:
I am writing to notify you of a cyber incident involving Home Box Office, Inc.’s (“HBO”) information technology network and to inform you that we have determined that your personal information was compromised during this incident. The privacy and protection of your information is a matter we take very seriously. HBO deeply regrets the inconvenience this may cause, and we recommend that you closely review the information provided in this letter for some steps that you may take to protect yourself against potential misuse of your information.
In late July 2017, HBO became aware of an incident in which an unauthorized third party claimed to have accessed HBO’s information technology network. We began investigating the incident as soon as we became aware of the potential breach. Our investigation has revealed that an unauthorized third party illegally accessed HBO’s network, including some personally identifiable information about you.
What Information Was Involved
Though the investigation is still underway, we have determined that the information involved in this incident included the following types of your personally identifiable information: [Personal Information Categories].
According to Wisconsin, the breach notification letter applied to “Three Wisconsin residents who were customers of HBO during the time of the breach.” Also according to Wisconsin, “In late July 2017, HBO became aware of an incident in which an unauthorized third party claimed to have accessed HBO’s information technology network. The intruder illegally accessed HBO’s network, including the personally identifiable information of customers. The compromised data included customer Social Security numbers.”
Why would HBO require customer Social Security Numbers?