Posted On October 5, 2022 Consumer Privacy & Data Breaches
On September 21, 2022, Mount Vernon Mills filed notice of a data breach with the office of the Maine Attorney General after the company learned it was the target of a recent cyberattack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to the names, Social Security Numbers, birth dates, and addresses of employees, retirees and beneficiaries who participate in or are or were eligible for a retirement plan offered by the company. After confirming that consumer data was leaked, Mount Vernon Mills began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Mount Vernon Mills data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Mount Vernon Mills.
The available information regarding the Mount Vernon Mills breach comes from the company’s filing with the Maine Attorney General. According to this source, on August 20, 2022, Mount Vernon Mills learned that an unauthorized party had hacked into the company’s computer system. Specifically, the hacker targeted individuals within the company who had access to retirement plan holders’ personal and sensitive information. Additionally, the hackers encrypted the company’s network, preventing internal access.
Upon learning of the cyberattack, Mount Vernon Mills launched an investigation into the incident with the assistance of third-party cybersecurity specialists. On September 1, 2022, this investigation confirmed that the unauthorized party not only encrypted the data, but they also removed it from the system and began to sell it on the dark web.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Mount Vernon Mills began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, date of birth and address.
On September 21, 2022, Mount Vernon Mills sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1947, Mount Vernon Mills, Inc. is a textile manufacturer based in Mauldin, South Carolina. The company is owned by its parent company, R. B. Pamplin Corporation, which is located in Portland, Oregon. Mount Vernon Mills creates products for the apparel, industrial, institutional, and commercial markets, including denim, piece-dyed and flame-resistant fabrics for apparel, pocketing, textile sizing and finishing chemicals. Mount Vernon Mills also operates Mount Vernon Chemicals, LLC. Mount Vernon Mills employs more than 2,918 people and generates approximately $245 million in annual revenue.
The Mount Vernon Mills filing with the Maine Attorney General provided a fair amount of detail about the cyberattack leading up to the data breach. While the company did not use the term “ransomware” to describe the event, it appears that Mount Vernon Mills was indeed the target of a ransomware attack. This is a fair assumption based on the fact that the data on the Mount Vernon Mills network was encrypted by the hackers.
Encryption is a process that encodes files, preventing access to anyone who does not have the encryption key, which is typically an alpha-numeric password. Every day, people encrypt files as a way to protect them from unauthorized access. However, cybercriminals also use encryption when carrying out ransomware attacks.
A ransomware attack is one of the most common types of cyberattacks. They start with a hacker installing malicious software, or malware, on a company’s computer network. Hackers may do this by sending an employee phishing email in hopes of getting them to click on a malicious link that downloads the malware onto the employee’s computer, which then infects the network. The malware then locks all employees out of their devices. Next, the hackers send management a message demanding a ransom to unencrypt the network. Once the company pays the ransom, the hackers decrypt their computer, which ends the attack—at least from the company’s perspective. However, in carrying out this type of attack, hackers gain access to all the information on the company’s network.
Recently, hackers have started to threaten to publish stolen data if a company refuses to pay the ransom. Indeed, this is exactly what Mount Vernon Mills explains happened after it learned its network had been encrypted. Of course, once information is on the dark web, cybercriminals can bid on the data, which they can then use to commit identity theft and other frauds.
While companies experiencing a ransomware attack are victims in some sense, the real victims of these attacks are the consumers whose information ends up in the hands of those looking to commit fraud. Companies not only have the resources to pay an occasional ransom, but they also have the ability (and responsibility) to implement strong data security systems designed to prevent these attacks in the first place. On the other hand, there is absolutely nothing a consumer can do to prevent a ransomware attack.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Mount Vernon Mills data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Mount Vernon Mills (the actual notice sent to consumers can be found here):
Dear [Redacted],
On August 20, 2022, unauthorized persons hacked into the account of individuals at the Company who maintain information for the Retirement Plans for the Company’s employees, retirees, and beneficiaries who participate in or are or were eligible for the Company’s plans. The unauthorized persons encrypted the servers on which data was stored so that the Company could no longer access the account data. Consequently, the Company immediately launched an internal investigation and contracted with two outside firms to assist with the investigation. On September 1, 2022, the Company’s investigation determined that the unauthorized persons had not only encrypted the Company’s data, they also acquired and began to sell certain data on the dark web regarding employees, retirees, and beneficiaries who participate in or are or were eligible for the Company’s Plans.
WHAT INFORMATION WAS INVOLVED
The personal information involved in this cyberattack included the names, Social Security Numbers, birth dates, and addresses of employees, retirees and beneficiaries who participate in or are or were eligible for the Company’s retirement plans. There is no evidence that the unauthorized persons accessed or acquired any health-related information or any financial information such as account numbers, routings, or credit card information.
WHAT WE ARE DOING
The Company takes this incident very seriously. Immediately after the Company’s determination that a data breach had occurred on September 1, 2022, the Company took the following steps to contain, mitigate, and remedy the security incident:
Contracted with a third outside firm to assist the Company with its efforts to mitigate the effects of the cyberattack and to prevent future cyber attacks;
Improved security firewalls;
Upgraded software versions;
Changed all system passwords and strengthened security rules; and
Recovered or rebuilt the data that was subject to the cyberattack.
