The Hershey Company suffered a major data breach in which people’s payment data and personally identifiable information (PII) were both taken.
The famous chocolate maker has filed a notification with the Maine Attorney General’s office, stating that in early September, some of its employees fell prey to a phishing attack.
The attack resulted in the theft of sensitive data, including Financial Account Numbers or Credit/Debit Card Numbers (in combination with security codes, access codes, passwords, or PINs for the account). In total, 2,214 people were affected by the incident.
Identity theft
According to The Register, Hershey subsequently conducted its investigation and then notified affected individuals of its results. In the letter, it said that the attackers “may have had access to certain personal information,” but stressed that there was “no evidence that any information was acquired or misused.”
As per the notification letter, the hackers accessed people’s first and last names, health and medical information, health insurance information, digital signatures, dates of birth, addresses and contact information, driver’s license numbers, credit card numbers with passcodes or security codes, and credentials for online accounts and financial accounts including routing numbers.
That’s more than enough for phishing attacks, identity theft, or wire fraud. Hershey’s customers should be extra wary of any incoming email or SMS messages claiming to be from the company.
“Upon learning of the incident, Hershey worked to block the unauthorized user’s access and confirm that the affected Hershey accounts were no longer in use by the unauthorized user,” it was added in the letter. To strengthen its systems and prevent future similar occurrences, the company forced all users to change their passwords. It introduced “additional detection safeguards to our corporate email environment,” the company concluded.
Despite finding no evidence of data misuse, Hershey still offered two years of free identity protection services to affected individuals via Experian IdentityWorks.