Posted On April 19, 2022 Consumer Privacy & Data Breaches
April 19, 2022 – Recently, Bob’s Red Mill Natural Foods announced that the personal information—including credit and debit card data—of customers was compromised in a recent data breach stemming from a data scrape attack. On April 15, 2022, the company began sending out data breach notifications informing affected customers of the breach.
It is essential those who receive a data breach notification from Bob’s Red Mill understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Bob’s Red Mill data breach. As a part of our investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Bob’s Red Mill.
In 2021, there were 1,862 data breaches affecting more than 189,000,000 individuals. Victims of identity theft spend, on average, 200 hours and more than $1,300 recovering their identity. Many of these victims also suffer credit damage, emotional distress, and may even end up with a criminal record. Taking immediate action is the best way to prevent the worst consequences of a data breach.
According to official notice provided by the company, Bob’s Red Mill recently discovered that it was the target of a specific type of cyberattack known as a data scrape attack. The company confirmed that, as a result of the incident, the names, payment card numbers, expiration dates, CVV numbers, billing addresses and shipping addresses, e-mail addresses, phone numbers, and purchase amounts for transactions between the dates of February 23 and March 1, 2022 were accessible to an unauthorized party.
On March 22, 2022, the Bob’s Red Mill was contacted by a customer who reported that someone had used their payment card information to make a fraudulent purchase. Since then, several other customers have made similar reports. On April 15, 2022, the company issued data breach notifications to all customers whose information was impacted in the breach.
Bob’s Red Mill Natural Foods is an employee-owned food manufacturing company based in Milwaukie, Oregon. The company was founded in 1978 and produces natural, certified organic, and gluten-free milled grain products. Bob’s Red Mill employs more than 600 people and generates approximately $239 million in annual revenue.
When you allowed Bob’s Red Mill access to your personal data, you trusted the company to keep your sensitive information safe. However, news of the Bob’s Red Mill data breach raises some very serious questions about the company’s data security measures and whether the company could have done more to prevent this type of cyber-attack.
Regardless of the industry, all businesses have a legal obligation to protect consumer information in their possession. Although creating and maintaining a data security system is costly, this is a necessary expense given the frequency with which cyberattacks occur.
Consumers whose personal, identifying, financial or healthcare-related data was compromised in a data breach can pursue legal action against a company that misused or mishandled their information. However, the investigation into the Bob’s Red Mill breach is only in its beginning phases. For that reason, it is too early to tell if Bob’s Red Mill was legally responsible for the breach. However, our data breach attorneys are investigating the Bob’s Red Mill security breach to determine the potential legal remedies of those affected.
If you have questions about your ability to pursue a data breach class action lawsuit against Bob’s Red Mill, contact a data breach attorney as soon as possible.
If you receive a data breach notification from Bob’s Red Mill in the coming weeks, it means your personal data was compromised in the recent cyberattack. It also means a cybercriminal may have had access to—and may have stolen—your personal data. Given the risks involved, it is important you remain vigilant by taking the following steps:
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Bob’s Red Mill data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
We are writing to notify you about a data-security incident that may have affected the credit card (or other payment card) you used when making a purchase on our website, BobsRedMill.com (https://www.bobsredmill.com/).
This letter contains important information about what happened, including steps you should take to reduce the risk that any fraudulent transactions are completed with your card. The privacy and security of our customers’ information is important to us, and we apologize for the concern and inconvenience this incident may cause you.
We recently learned that, between February 23 and March 1, 2022, malicious software was used to “scrape” purchase-related information entered into our website. This information typically goes directly (and via secure protocols) to our payment processor – but the scraping software is intended to interfere with that. Immediately upon learning of the issue, we began an investigation and took steps to fix the problem. We have isolated and removed the malicious software such that website purchases are again secure.
Initially, we had no evidence that any of the information was acquired (e.g., downloaded or exfiltrated from the website). Nor did we have any indication that the information had been used in any way – such as to make fraudulent purchases. But we continued to look into the incident. On March 22, we received a call from a customer who indicated that they incurred a fraudulent charge. We received a number of similar reports this month. We do not know if these fraudulent charges are related to our website incident, but it now appears possible that payment-card (and other) information may have been acquired. We are therefore providing you with this notice so you can take steps to protect yourself.
What information was involved?
The scraping software appears to have impacted data entered when customers made purchases from our website. The following information therefore appears to have been involved: payment- card number, expiration date, CVV number, billing address and shipping address, including name and street address, e-mail address, phone number, and purchase amount.
We believe that this incident was limited to our website and limited to the period from February 23 – March 1, 2022. We do not believe any of our physical/in-person point-of-sale terminals have been impacted, or that purchases made outside the February 23-March 1 window have been impacted. There is also no information to indicate that Social Security numbers, driver’s license numbers or other government-issued ID numbers, dates of birth, or other sensitive personal information or online account credentials have been compromised. As a result, we believe this incident presents a low risk of identity theft.
If you are receiving this letter, it is because we believe your purchase-related information may have been among the data impacted by the malicious software between February 23 and March 1.
What we are doing
As an organization, we are committed to ensuring the security of our customers’ personal information. The steps we have taken to address this incident include:
When we first learned of this incident, we immediately began an investigation and took steps to fix the problem – such as identifying, isolating, and removing the malicious software.
We immediately notified, and will work with, our payment processor to reduce the likelihood of this type of incident happening again.
We immediately notified the payment-card brands we work with (American Express, Discover, Mastercard, and Visa) and will work with them to reduce the likelihood of this type of incident happening again.
We already devote significant resources to data security, including the security of payment systems.
We will learn from this incident and use the information uncovered during our investigation to further bolster our data security and incident-response processes.
Please note that this letter was not delayed because of a law-enforcement investigation.
What you can do
Monitor your payment-card accounts and report any unauthorized transactions or other suspicious activity to the applicable card brand or card issuer.
You should be vigilant and regularly review and monitor your payment-card account statements and immediately report any suspicious activity to the applicable card brand or card issuer.
Monitor your credit reports.
As with your payment-card account statements, you should regularly review your credit reports and report any suspicious activity or inaccurate information to the applicable credit-reporting agency and the company that furnished the suspicious or inaccurate information. You have the right to obtain a copy of your credit report for free once a year from one of the national credit-reporting agencies.
You may obtain your free copy of your credit report online at www.annualcreditreport.com, by calling toll-free 877-322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to:
Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.
You may purchase additional credit reports by contacting one or more of the three following national credit-reporting agencies:
Equifax: P.O. Box 740241, Atlanta, Georgia 30374-0241, 800-685-1111, www.equifax.com Experian: P.O. Box 9532, Allen, TX 75013, 888-397-3742, www.experian.com
TransUnion: P.O. Box 1000, Chester, PA 19022, 800-888-4213, www.transunion.com
You may also obtain information regarding fraud alerts and security freezes from the foregoing credit-reporting agencies and the Federal Trade Commission (“FTC”).
Report any suspicion of identity theft to regulators.
If you ever suspect that you are the victim of identity theft, please report that to the proper law enforcement authorities, including local law enforcement, your state’s attorney general, and/or the FTC. You may contact the FTC or your state’s regulatory authority to obtain additional information about avoiding identity theft.
Federal Trade Commission, Consumer Response Center: 600 Pennsylvania Avenue, NW, Washington, DC 20580, 877-IDTHEFT (438-4338), www.ftc.gov/idtheft.
Other important information
We will never contact you by phone or email to ask for payment-card information or other sensitive personal information. If you ever receive a call, e-mail, or text message purporting to be from Bob’s Red Mill and asking for such information, it is likely a scam. If you are ever in doubt, please call us at the number listed below to confirm the legitimacy of the call, e-mail, or text message.
We are including some state-specific information as an enclosure to this letter. You should review the enclosure to see if any of the additional information pertains to you.
For more information
If you have any questions or would like more information about this incident, please contact us at 971-233-8799, Monday – Friday, from 9:00a.m. – 4:00p.m. Pacific Time.
We appreciate your business and trust, and sincerely apologize for this incident and the inconvenience or concern it may cause.