Posted On November 4, 2022 Consumer Privacy & Data Breaches
On October 26, 2022, Convergent Outsourcing, Inc. filed notice of a data breach with the Office of the Montana Attorney General after the company was targeted in a June 2022 ransomware attack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, contact information, financial account numbers, and Social Security numbers. After confirming that consumer data was leaked, Convergent Outsourcing began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Convergent Outsourcing data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Convergent Outsourcing, Inc.
The available information regarding the Convergent Outsourcing breach comes from the company’s filing with the Montana Attorney General’s “Reported Data Breach Incident” database. According to this source, on June 17, 2022, Convergent learned of a possible data security issue when some of the company’s computer systems stopped functioning properly. In response, the company secured its IT system and then launched an investigation in hopes of better understanding the nature of the incident and identifying what, if any, consumer data was compromised as a result.
The company’s investigation confirmed that an unauthorized party conducted a malware attack, which was responsible for the disruption. It was also determined that the unauthorized actors had gained access to certain files containing sensitive consumer information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Convergent Outsourcing began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, contact information, financial account number, and Social Security number.
On October 26, 2022, Convergent Outsourcing sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1950, Convergent Outsourcing, Inc. is a business services company based out of Renton, Washington. The company provides corporate clients with a range of services, including debt-collections management and call center solutions. Convergent Outsourcing operates nine call centers, seven of which are based in the United States. Convergent Outsourcing operates several specialized divisions, including Convergent Commercial Receivables Management and Convergent Healthcare Revenue Cycle Management. Convergent Outsourcing employs more than 1,124 people and generates approximately $476 million in annual revenue.
Convergent Outsourcing’s filing with the Montana Attorney General provides some useful information about what led to the recent data breach. There, the company explains that the hackers responsible for the attack “gained unauthorized access to our systems and deployed a ransomware malware” and that they also “deployed certain data extraction tools on one storage drive that is used to save and share files internally.”
A ransomware attack is a type of cyberattack in which a hacker installs malware on a company’s computer network. The malware encrypts some or all of the data on the company’s computer system, preventing anyone from within the organization from accessing the system.
Encryption is a process that encodes files, making them inaccessible to anyone without the encryption key (which is usually a password). People regularly encrypt files to protect sensitive data from unauthorized access. However, cybercriminals also use encryption when carrying out certain types of cyberattacks—usually ransomware attacks.
When orchestrating a ransomware attack, hackers will often use a technique called “phishing.” This involves sending an email to an employee of the organization in hopes of getting them to either click on a malicious link or provide their information directly to the hacker. Once the employee clicks on the malicious link, it downloads the malware onto their computer. The malware then encrypts the files on the computer and may infect other parts of the organization’s network. The hackers then send management a message demanding the payment of a monetary ransom in exchange for the encryption key.
If the company pays the ransom, the hackers decrypt their computer, which ends the attack—at least from the company’s perspective. Typically, hackers end a cyberattack once the organization pays the ransom; otherwise, there would be no incentive for companies to pay a ransom in the future.
More recently, hackers have started telling companies that if they do not pay the ransom within a certain period of time, they will publish the stolen data on the dark web. Once on the dark web, cybercriminals can bid on the data, which can then be used to commit identity theft and other frauds. So, while companies are undoubtedly the targets of ransomware attacks, the real victims of these attacks are the consumers whose information ends up in the hands of potential criminals.
Large companies such as Convergent Outsourcing not only have the resources to pay the occasional ransom, but they also have the ability (and responsibility) to implement strong data security systems designed to prevent these attacks before they occur. However, companies may prioritize short-term profits over the long-term well-being of their customers, which too often results in vulnerable data security systems that can be exploited by hackers.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Convergent Outsourcing data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Convergent Outsourcing, Inc. (the actual notice sent to consumers can be found here):
Convergent Outsourcing, Inc. (“Convergent”) is sending this letter as part of our commitment to privacy. Convergent performs debt collection services and, during the course of performing those services, receives personal information. We are contacting you regarding a security incident at Convergent which may have involved some of your personal information.1 We want you to understand what happened, what we are doing about it, the steps you can take to protect yourself, and how we can help you.
On June 17, 2022, we became aware of an interruption to certain services performed by Convergent affecting certain computer systems. We immediately began taking steps to secure our systems and launched an investigation to better understand the nature of the service interruption. We immediately took action to secure our systems, isolated any impacted servers against additional spread and severed the unauthorized actor’s access to our network and servers. We, with the assistance of third party experts, also expanded our investigation to search for and review any personal information on our systems that could have been accessed.
We discovered that an external actor gained unauthorized access to our systems and deployed a ransomware malware. The investigation also revealed that the unauthorized actor deployed certain data extraction tools on one storage drive that is used to save and share files internally.
What Information Was Involved.
Please note that we are providing this information in an abundance of caution, as the thorough investigation could not confirm your personal information was actually viewed by the unauthorized actor.
However, our investigation revealed the following personal information may have been involved in the unauthorized actor’s access of the internal drive referenced above: name, contact information, financial account number, and social security number.
What We Are Doing.
Convergent takes the confidentiality, privacy, and security of information in our care seriously. When we discovered the service interruption, we, with the assistance of third party experts, immediately deployed an array of containment and remediation steps.
We immediately took action to secure our systems and proactively managed our network to sever connectivity and prevent the movement of the unauthorized actor. We reset all passwords, and engaged third-party experts to assist with containment, removal, and restoration. We also coordinated with our clients and vendors to inform them of this event so they could deploy similar proactive measures on their own computer systems. We have since deployed additional cybersecurity measures and reviewed policies and procedures relating to data privacy and security to further harden our systems against future attacks.
While the investigation has not revealed any misuse of your personal information, nor any attempts at fraud or identity theft, out of an abundance of caution, we are providing you with twelve months of credit monitoring and identity protection services through IDX at no cost to you. A description of the services and instructions on how to enroll can be found below in the What You Can Do section. Please note that you must complete the enrollment process yourself, as we are not permitted to enroll you in these services on your behalf.
What You Can Do.
While we are not aware of any misuse of your personal information, below is information about steps that an individual may take to protect against potential misuse of their personal information.
We encourage you to, as always, remain vigilant and monitor your account statements, insurance transactions, and free credit reports for potential fraud and identity theft, and promptly report any concerns. We also suggest you regularly review bills, notices, and statements. You should always be alert in monitoring account statements and transactions for fraud and identity theft, and promptly report any questionable or suspicious activity.
In addition, you may contact the Federal Trade Commission (“FTC”) or law enforcement, including your state Attorney General, to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. To learn more, you can go to the FTC’s Website, at [Redacted], or call the FTC, at (877) IDTHEFT (438-4338) or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
For More Information.
If you have questions about this letter, please call 1-833-814-1691 toll-free Monday through Friday from 9 am – 9 pm Eastern Time, or go to [Redacted]. The toll free number and website have been created to answer your questions about the incident and to help you enroll in identity theft and credit monitoring services.
We sincerely apologize for the worry and inconvenience this matter may cause. Convergent is committed to continued transparency and support for those potentially impacted by the incident.