Uncovered Expansion in Data Breach Affected Individuals: Over One Million Now Reported as Affected by Young Consulting
In April 2024, Young Consulting, now trading as Connexure, fell victim to a significant data breach. The exact number of days it took to identify and contain the attack is not specified, but it has since come to light that over 1 million individuals have been affected.
The breach, which was not widely reported as a ransomware incident, included sensitive information such as names, Social Security numbers, dates of birth, and insurance policy/claim information. The unauthorized actor gained access to Young Consulting's network and copied certain files, the extent of which was only fully understood through a thorough forensic analysis.
The process of determining the number of unique individuals affected by such a large-scale data breach can be complex and time-consuming. Factors such as the complexity of the breach, the volume and diversity of the data, and the uncertainty and verification of attacker claims all contribute to the delay.
Carla Reddick, Connexure's head of HR, updated the company's filing in Maine to reflect the growing number of affected individuals. As more information is uncovered, the number may continue to grow.
In an effort to protect the affected individuals, Connexure has sent additional notification letters in January 2025. These letters offer the same 12 months of credit monitoring and identity theft restoration as those issued in August 2024.
It's important to note that the time it takes to accurately assess the number of affected individuals is not necessarily a reflection of Connexure's cybersecurity acumen. According to IBM's report, the time to identify and contain a data breach can vary depending on the type of attack. The average time can reach up to 292 days, as per IBM's most recent Cost of a Data Breach report.
Cybercriminal groups, like the BlackSuit group that claimed responsibility for this breach, often exaggerate or misstate their haul. As a result, companies must verify and reconcile hacker claims with internal findings before public disclosure to avoid misinformation.
Connexure did not download data from BlackSuit's website to evaluate the veracity of its claims. The company is focusing on ensuring the accuracy of its own findings and providing support to those affected.
In conclusion, the delay in accurately assessing the number of uniquely affected individuals in a large-scale data breach like Connexure's 2024 incident can be attributed to several key factors. These include the technical complexity of understanding what data was compromised, validating the attacker’s claims, evaluating the scope across large and diverse datasets, and navigating legal and regulatory disclosure requirements. This process can span many months, as exemplified by Connexure’s breach taking over a year to confirm more than one million affected people.
- The data breach at Connexure, initially not widely reported as a ransomware incident, involved sensitive information such as names, Social Security numbers, dates of birth, and insurance policy/claim information.
- The company, focused on ensuring the accuracy of its own findings and providing support to those affected, did not download data from the BlackSuit group's website to evaluate the veracity of its claims.
- IBM's report indicates that the time to identify and contain a data breach can vary, with the average time reaching up to 292 days, as per its most recent Cost of a Data Breach report.
- As more information is discovered, Connexure's HR head, Carla Reddick, is updating the company's filing in Maine to reflect the growing number of affected individuals, some of whom have received additional notification letters offering credit monitoring and identity theft restoration services in January 2025.
