Posted On November 9, 2022 Consumer Privacy & Data Breaches
On November 7, 2022, CWGS Group, a holding company that does business under the name Camping World, filed notice of a data breach with the Massachusetts Attorney General after the company confirmed that an unauthorized party was able to access sensitive consumer information stored on the company’s computer servers. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to the following consumer information: names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, tax ID numbers, financial account numbers, debit & credit card numbers, digital & electronic signatures, and usernames & passwords. After confirming that consumer data was leaked, Camping World began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Camping World data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from CWGS Group.
The available information regarding the Camping World breach comes from the company’s filing with the Massachusetts Attorney General as well as notice posted on the Camping World website. According to these sources, on February 9, 2022, CWGS detected suspicious activity within its computer system. Suspecting a possible cyberattack, the company secured its systems and then began working with third-party data security specialists to investigate the incident and determine what, if any, consumer information was leaked as a result.
The company’s investigation determined that an unauthorized party accessed CWGS’s systems between January 14, 2022 and February 13, 2022, and that sensitive information belonging to certain individuals was accessible during this time.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Camping World began to review the affected files to determine what information was compromised and which consumers were impacted. CWGS completed its review of the affected data on July 20, 2022. While the breached information varies depending on the individual, it may include your name, date of birth, Social Security number, driver’s license number, government ID number, tax ID number, financial account numbers, debit & credit card numbers, digital & electronic signature, and usernames & passwords.
On November 7, 2022, Camping World sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. In the company’s data breach letter, it mentions that notice of the data breach was delayed upon the request of law enforcement.
CWGS Group is a holding company that includes Camping World and Good Sam. Camping World is a chain of retail stores focused on providing customers with everything they need for their recreational vehicles (“RVs”) and camping trips. Camping World also sells new and used RVs. Good Sam operates in a similar space and also rents RVs. Camping World is based in Lincolnshire, Illinois and employs more than 12,500 people, generating approximately $3 billion in annual revenue. Good Sam is based in Englewood, Colorado and employs approximately 527 people, generating $527 million in annual revenue.
The CWGS data breach was first discovered in January 2022; however, it took the company almost ten months to file official notice of the breach. If CWGS was aware that consumer data was leaked, didn’t the company increase the risks of identity theft and other fraud by waiting to provide notice of the incident?
Certainly, the answer to this question is “yes.” Hackers and other cybercriminals often attempt to use any information they steal as soon as possible—well before consumers can cancel their credit cards and alert potential lenders. Thus, by waiting to provide notice, a company gives hackers ample time to use the data for criminal purposes. However, there are some good reasons why companies do not announce a data breach immediately—there are also some not-so-good reasons.
For starters, it is entirely possible that the company simply doesn’t know what, if any, data types were compromised due to an attack. However, barring that scenario, there are other reasons why companies may hold off on notifying individuals or state governments about a breach.
One possible explanation for a delayed breach report is that the company doesn’t realize it had been hacked until weeks or months after the incident. In these cases, there is little a business can do if it is unaware of a breach. Of course, those organizations with strong data security systems should be able to identify and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, that isn’t exactly a good excuse.
Another reason why a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some situations, law enforcement agencies ask victimized businesses to hold off on reporting a breach so as not to alert hackers that the breach has been detected and is under investigation. By not reporting the breach it gives law enforcement time to conduct an investigation and, potentially, catch the criminals who orchestrated the attack. Based on the explanation provided in the Camping World “Notice of Data Incident,” it appears that this was the reason CWGS delayed notifying consumers of the breach.
Finally, another reason why a company may not immediately report a breach is that the company is in the process of reviewing the leaked data to see what data types were exposed and who was affected. Once a company learns of a data breach, it needs to review the compromised files, which can take time. However, there is nothing stopping a company from issuing a preliminary notice to all customers whose information may have been affected.
The bottom line is that just because a company waits to file official notice of a data breach doesn’t mean the company is being negligent of the risks the breach poses to consumers. However, even if a company’s delay is excusable, the breach itself may not be. Companies have an obligation to protect the consumer information in their care, and when they fail to do so, affected parties may pursue a data breach lawsuit against the company.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Camping World data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by CWGS Group (the actual notice sent to consumers can be found here):
CWGS Group (“CWGS”), including Camping World and Good Sam, has learned of a data incident that may have involved certain individuals’ personal information. On February 9, 2022, CWGS learned of suspicious activity on its network. Upon discovering the incident, CWGS promptly began an internal investigation and engaged a forensic security firm to investigate and secure its computer systems. The investigation determined that an unknown third party accessed CWGS’s systems from January 14, 2022 to February 13, 2022 and that certain personal information may have been accessed and/or acquired from its systems as a part of the incident. CWGS conducted a comprehensive review of the involved data to determine if it contained any personal information. On July 20, 2022, CWGS determined that the data contained some individuals’ personal information. The type of information at issue varied for each individual, but may have included name, date of birth, Social Security number, driver’s license number, state, federal, or foreign ID number, tax ID number, financial account number with and without account access information, debit/credit card number with and without CVV and/or expiration date, digital/electronic signature, and username and password. CWGS has been cooperating with law enforcement’s investigation of the incident and, at the request of law enforcement, CWGS delayed notification while their investigation was ongoing. CWGS now has permission from law enforcement to provide notification of the incident.
On November 3, 2022, CWGS began sending written notification to the individuals whose personal information was contained in the files and for whom CWGS has contact information. Individuals should refer to the notice they will receive in the mail regarding steps they can take to protect themselves. As described in those letters, CWGS has arranged for complimentary identity theft protection services for those individuals whose Social Security numbers, driver’s license number, state, federal, or foreign ID numbers, and/or tax ID number were involved in the incident.
CWGS is not aware of anyone’s information having been misused in relation to the incident; however, as a precautionary measure, involved individuals should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements, monitoring their credit reports closely, and notifying their financial institutions if unusual activity is detected. They should also promptly report any fraudulent activity or suspected identity theft to proper law enforcement authorities, including the police and their state’s attorney general. Affected individuals may also wish to review the tips provided by the Federal Trade Commission (“FTC”) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft. For more information and to contact the FTC, please visit [Redacted] or call 1-877-ID-THEFT (1-877-438-4338). Affected individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.