‣ Attorney Investigation Alert
‣ Over 2,000 People Affected by Breach
On June 9, 2022, Cetera Financial Group, Inc. (“CFG”), a financial services group based in El Segundo, California, reported a data breach to the Maine Attorney General’s Office. 2,188 individuals nationwide were affected by the breach.
According to the company, on March 16, 2022, CFG received notice of a data breach from its printing service, R.R. Donnelley & Sons Company (“RRD”), that occurred between November 29, 2021 and December 23, 2021. After starting its own investigation, CFG determined that personal information from its files that were present on RRD’s systems at the time of the data breach were impacted by the RRD data breach.
While not included in CFG’s notice, it has been widely reported that R.R. Donnelley was the subject of a ransomware attack by the infamous Conti ransomware group. According to public reports, the Conti group took credit for the attack on RRD and briefly posted 2.5 GB of data on its data leak page.
The FBI issued a Flash Alert about Conti ransomware attacks in May, 2021. On September 22, 2021, a Joint Cybersecurity Advisory disseminated details about what red flags indicate a business has been compromised by Conti ransomware, and how attacks can be avoided.
The sensitive personal information in CFG’s files that may have been accessed and taken includes individuals’ full names and Social Security numbers (SSNs).
The full CFG notice provided to the Maine Attorney General can be viewed here.
CFG is offering affected individuals complimentary identity monitoring services through Experian. The deadline for enrollment in Experian services is listed in the Notice.
Special California Laws Protect You
California has laws that specifically protect your personal information.
- The California Customer Records Act(CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.
If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected current or former California resident can sue to protect their rights under the CCPA and CCRA.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
Electronic Personal Data Doesn’t Degrade, One Year Of Identity Theft Services Offered by CFG May Not Be Enough
Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20, depending on the type of information it contains, according to Privacy Affairs Dark Web Index of 2021. Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible, or nearly impossible, to change.
Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
A Compromised SSN Can Be A Complicated Problem
 A hacker with your SSN can use it to get other personal information about you.
 Identity thieves can use your SSN and name to apply for credit under your name. When the new credit cards are used by the thieves and they don’t pay, it damages your credit. You may not become aware of the scam until creditors start contacting you for non-payment of the thief’s bills, or you are denied credit.
 Stolen SSNs can be used to fraudulently file taxes, apply for jobs, and receive other government benefits.
“Keep in mind that a new [SSN] probably won’t solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record. So using a new number won’t guarantee you a fresh start. This is especially true if your other personal information, such as your name and address, remains the same.”
(Social Security Administration Publication No. 05-10064 July 2021.)
Once you know your data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.