The Hershey Company suffered a major data breach that compromised both people's payment information and personally identifiable information (PII).
The famed chocolate maker has filed a report with the Maine Attorney General's office, stating that some of its employees fell prey to a phishing attack in early September.
The attack resulted in the theft of sensitive data, including financial account numbers or credit/debit card numbers (along with security codes, access codes, passwords, or account PINs). A total of 2,214 people were affected by the incident.
Identity theft
According to The register, Hershey then conducted its investigation and then notified the individuals involved of the results. The letter said the attackers “may have had access to certain personal information,” but emphasized that there was “no evidence that any information was obtained or misused.”
According to the notification letter, the hackers gained access to people's first and last names, health and medical information, health insurance information, digital signatures, dates of birth, addresses and contact information, driver's license numbers, credit card numbers with access codes or security codes, and online account login credentials and financial accounts, including routing numbers.
That's more than enough for phishing attacks, identity theft or wire fraud. Hershey's customers should be extra wary of incoming email or text messages claiming to be from the company.
“Upon learning of the incident, Hershey attempted to block the unauthorized user's access and confirm that the affected Hershey accounts were no longer in use by the unauthorized user,” the letter said. To strengthen its systems and prevent future similar events, the company forced all users to change their passwords. It introduced “additional detection protections for our corporate email environment,” the company concluded.
Even though no evidence of data misuse was found, Hershey still offered two years of free identity protection services to affected individuals through Experian IdentityWorks.