In February 2024, Cencora, a US pharmaceutical giant with over $290 billion in annual revenue and 51,000 employees, suffered a major **data breach** targeting its subsidiary, **World Courier Group**. Hackers infiltrated the company’s systems and exfiltrated **sensitive personal information** of **over 1.4 million individuals**, including **current and former employees** (names, addresses, dates of birth, Social Security numbers) as well as data linked to **27 pharmaceutical and biotechnology partners**. The breach led to a **class-action lawsuit**, with Cencora agreeing to compensate affected individuals up to **$5,000 per person**, capped at **$5 million total** for documented losses. The incident exposed critical internal and partner-related data, posing significant **financial, reputational, and operational risks** to the company and its stakeholders.
TPRM report: https://www.rankiteo.com/company/cencoraglobal
"id": "cen2702127093025",
"linkid": "cencoraglobal",
"type": "Breach",
"date": "2/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,400,000+ individuals '
'(including employees and '
'partners)',
'industry': 'pharmaceutical distribution',
'location': 'Pennsylvania, USA',
'name': 'Cencora (COR)',
'size': '51,000 employees, $290B annual revenue',
'type': 'public company'},
{'industry': 'logistics/pharmaceutical supply chain',
'name': 'World Courier Group',
'type': 'subsidiary'},
{'industry': ['pharmaceutical', 'biotechnology'],
'name': '27+ partner pharmaceutical and biotechnology '
'companies',
'type': 'business partners'}],
'customer_advisories': ['settlement claims process for affected individuals'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '1,400,000+',
'personally_identifiable_information': ['names',
'addresses',
'dates of birth',
'Social Security '
'numbers'],
'sensitivity_of_data': 'High (includes SSN, DOB, addresses)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'employee records',
'partner company data']},
'date_publicly_disclosed': '2024-02-01',
'description': 'A major data breach at Cencora (COR) in 2024 exposed personal '
'information of over 1.4 million individuals, including '
'employees and partners from 27+ pharmaceutical and '
'biotechnology companies. The breach involved exfiltration of '
'sensitive data such as names, addresses, dates of birth, and '
'Social Security numbers. A class-action lawsuit followed, '
'leading to a settlement offering up to $5,000 per affected '
'individual (capped at $5M total).',
'impact': {'brand_reputation_impact': 'High (class-action lawsuit, public '
'disclosure of 1.4M+ affected '
'individuals)',
'data_compromised': ['personal information (names, addresses, DOB, '
'SSN)',
'sensitive private information'],
'identity_theft_risk': 'High (SSN and PII exposed)',
'legal_liabilities': ['class-action lawsuit',
'settlement payments up to $5M'],
'systems_affected': ['World Courier Group systems',
'subsidiaries of Cencora']},
'initial_access_broker': {'high_value_targets': ['employee PII',
'partner company data']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'The Daily Hodl'},
{'source': 'Cencora Data Breach Settlement Portal'},
{'source': 'Cencora Data Breach Notification Letter '
'(2024-12-12)'}],
'regulatory_compliance': {'legal_actions': ['class-action lawsuit',
'settlement agreement']},
'response': {'communication_strategy': ['data breach notification letters '
'(e.g., dated 2024-12-12)',
'settlement portal for claims']},
'title': 'Cencora (formerly AmerisourceBergen) Data Breach (2024)',
'type': ['data breach', 'cybersecurity attack']}