Update: Astoria notifying 940,000 consumers after breach earlier this year
There is an update to one of the most controversial data breaches of 2021.
Mark Francis of Holland & Knight, who are external counsel for Astoria Company LLC, notified the Maine Attorney General’s Office that Astoria is notifying 940,000 consumers about a breach that occurred in January, 2021.
The breach became controversial, in part, because the Texas-headquartered company claimed that their investigation refuted claims by Vinny Troia of Night Lion Security, and that much of the data in the alleged data set was not from their system.
Astoria did report the breach to state attorneys general, but reported that only 70 consumers were impacted.
In a recent follow-up with them, Astoria’s CEO Scott Thompson gave this site no indication that they were going to be notifying so many people but hinted that there would still be accountability for the breach in the future. It did not seem like he was referring to Astoria but to someone else.
In their email notification, they write:
[Note: In prior correspondence recently, Thompson informed DataBreaches.net that claims that health insurance information was included in the data were erroneous. Leads were just requests to have an insurance agent contact the consumer. Only the agent would actually have the health insurance information, Thompson said.]
What happened? The following description is based on Astoria’s investigation to date: In late January 2021, an alleged security researcher, along with an associate, gained unauthorized access to an Astoria system which had a database of individuals’ personal information. The two individuals were able to obtain a portion of personal information maintained by the system, although the system prevented attempts to obtain further data. Astoria became aware of the intrusion on Feb 8, 2021 and took immediate steps to secure its systems and conduct an internal forensic investigation to determine what information was accessed during the intrusion. After many months of work, Astoria was able to obtain a copy of the data obtained by the security researcher and compare it with Astoria’s records. In an abundance of caution, Astoria is now notifying all individuals who were identified as potentially having sensitive data obtained during the incident. Additional technical details about the cyber‐attack are currently posted at https://astoriacompany.com/cyber‐update/.
Who was affected by this incident? The impacted information included first and last name, mailing address, email address, phone number, date of birth, social security number and/or driver’s license number and state, and in some instances employment information.
What are we doing to protect your information? Astoria is implementing additional security measures to enhance the continued security of information in its care, and the incident has been reported to the FBI.
What they are not doing, it seems, is providing any mitigation services. Their notification template is embedded at the bottom of this post and counsel’s notification to Maine specifically says “No” to the question as to whether identity theft protection was being offered to consumers.
In May, DataBreaches.net provided a detailed report on the dispute between Astoria and Troia. In investigating the conflicting claims by Troia and Astoria, this site reported that Troia lied multiple times to this site about how he obtained the data set that he claimed was all Astoria’s data. That said, this site noted that the samples of data that this site had inspected tended to agree with his claim that the data was Astoria’s:
So, there is still a dispute as to whether the data are real/valid or not, although there does seem to be a lot of data that look like they come from Astoria, including logs of clients requesting refunds for certain leads, etc.
Today’s notice may not be the end of the controversy over this case. Conflicting accusations about how the attack occurred, and who was involved appear to be as yet unresolved questions.Astoria Notice Letter (General)