Posted On October 5, 2022 Consumer Privacy & Data Breaches
On September 30, 2022, Chemonics International, Inc. filed notice of a data breach with various state government entities after the company learned that an unauthorized party had gained access to sensitive consumer data stored on its servers. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, financial account numbers, medical information, health insurance information, and access credential information. After confirming that consumer data was leaked, Chemonics began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Chemonics data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Chemonics International, Inc.
The available information regarding the Chemonics International breach comes from the official notices the company filed with various state attorney general offices, as well as a notice posted on the company’s website. According to these sources, on July 21, 2021, Chemonics detected “anomalous activity” within its email environment. In response, the company launched an internal investigation with the assistance of cybersecurity specialists.
The company’s investigation confirmed that unauthorized parties were able to gain access to multiple employee email accounts between March 2, 2021 and July 13, 2021. The Chemonics investigation also revealed that the affected email accounts contained sensitive consumer information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Chemonics International began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, financial account numbers, medical information, health insurance information and access credential information.
On September 30, 2022, Chemonics International sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1975 and based in Washington, D.C., Chemonics International, Inc. is a business services and consulting company specializing in international development. The company has worked in over 150 countries, helping its corporate clients confront issues such as agriculture & food security, digital development, economic growth & trade, health, gender equality & social inclusion and more. Chemonics International employs more than 5,000 people and generates approximately $1 billion in annual revenue.
Chemonics first discovered that the company had experienced a potential data breach in July 2021; however, it did not file an official notice of the breach or send out data breach letters to affected individuals until October 2022. Assuming that Chemonics knew that consumer data may have been leaked, wouldn’t such a delay increase the likelihood of identity theft or other frauds?
Certainly, the answer is “yes.” Hackers and other cybercriminals typically try to use any information they obtain through a data breach as soon as possible. This is because the stolen information may become useless to them if a consumer closes their account or takes other precautionary measures. Thus, by waiting to provide notice, a company gives hackers more time to use the data for criminal purposes. If this is the case, why would a company wait to provide notice to those who were affected by a data breach? There are a few possible answers.
One explanation for a company waiting to notify consumers of a breach is that the company didn’t realize it had been hacked. However, in the case of the Chemonics breach, it appears that the company discovered that an unauthorized party at least potentially had access to its employee email accounts shortly after the breach occurred. While there are exceptions, as a general matter, organizations with robust data security systems can often detect and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, a company’s failure to discover unauthorized access raises questions about its data security practices.
Another possible reason why a company might not report a data breach immediately is that it is cooperating with an ongoing law enforcement investigation. In larger breaches especially, law enforcement agencies ask companies to wait to report a breach. This is so the criminals who orchestrated the attack are not alerted to the fact that the breach has been detected and is under investigation. By waiting to publicly report a breach, a company gives law enforcement time to investigate the incident and, potentially, catch the hackers who conducted the attack.
Yet another reason why a company may not report a breach right after its discovery is that the company is in the process of reviewing the compromised information to determine what was leaked and who was affected. When a company learns of a data breach, it may not know what data was compromised until it completes a thorough investigation, which can take some time. Of course, companies can issue preliminary data breach notices to customers, providing them with what limited information they have at the time.
The fact that a company waits to file official notice of a data breach doesn’t mean the company is being negligent of the risks the breach poses to consumers. It also doesn’t necessarily mean that the company is trying to sweep the incident under the rug. However, as a general practice, companies that learn of a data security incident should inform consumers as soon as possible, giving them time to protect themselves from the worst consequences of a breach.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Chemonics data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Chemonics International, Inc. (the actual notice sent to consumers can be found here):
Dear [Redacted],
Chemonics International, Inc. (“Chemonics”) is committed to protecting the security and privacy of information that we maintain. Unfortunately, we reject to inform you that we were the victim of a sophisticated cyber incident.
On July 12, 2021, we discovered anomalous activity in our email environment. Upon discovery, we immediately initiated an investigation of the incident with the assistance of forensic experts. Forensic examination confirmed that an unauthorized actor(s) obtained access to several email accounts from March 2, 2021 to July 13, 2021, although our investigation could not conclusively determine the specific emails that were accessed. The investigation also found no conclusive evidence of data exfiltration, and we have no evidence of actual or attempted misuse of anyone’s personal information.
Nevertheless, we are providing notice to individuals whose personal information may have been impacted by this unauthorized access. The categories of personal information that may have been impacted include government-issued identification numbers, financial account numbers, medical information, health insurance information, and/or access credential information.
We take this incident very seriously and sincerely regret any inconvenience this incident may cause you. Upon discovery of this incident, we secured our network, safely remediated our systems and operations, implemented measures to further improve the security and monitoring of our systems, and notified law enforcement. We also have set up a dedicated call center in the United States and in the United Kingdom as well as a dedicated email account to answer questions about this incident. In addition, we are providing identity monitoring services to potentially impacted individuals based on their geographic location. If you believe you were affected, please click here if you reside in the United States, here if you reside in the United Kingdom, or here if you reside outside the United States and the United Kingdom.
United States Notification
We sincerely regret any inconvenience this incident may cause you. For individuals potentially impacted in the United States, we are offering those individuals with access to 24 months of credit monitoring and identity restoration services.
If you have questions and reside in the United States, please call our dedicated assistance line at (855) 726-7360 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time. Be prepared to provide the engagement number [Redacted] when calling.
