Echo reported a data breach to the Vermont Attorney General, where unauthorized third parties potentially accessed and acquired sensitive personal identifiable information (PII) between July 25–28, 2025. The breach was detected on July 28, 2025, prompting an investigation. While the exact compromised data remains undisclosed as of November 24, 2025, Vermont’s guidelines define affected PII as potentially including names, Social Security numbers, driver’s license/ID numbers, financial account details, biometric/genetic data, and health records. Echo began notifying impacted individuals on November 21, 2025, offering credit monitoring services. The breach suggests exposure of highly sensitive customer data, though no confirmation of misuse (e.g., fraud, identity theft) has been reported. The incident highlights risks to financial, reputational, and privacy integrity, with potential long-term consequences for affected individuals.
Source: https://straussborrelli.com/2025/11/24/the-echo-design-group-data-breach-investigation/
Echo cybersecurity rating report: https://www.rankiteo.com/company/echo-managed-services
"id": "ECH1120911112625",
"linkid": "echo-managed-services",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'name': 'Echo'}],
'customer_advisories': 'Notification letters mailed to affected individuals '
'(November 21, 2025) with details on impacted data '
'types and credit monitoring services.',
'data_breach': {'data_exfiltration': 'Potential (data may have been accessed '
'and acquired by an unauthorized third '
'party)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSN, financial, '
'biometric, and health data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Potentially: Name, Social '
'Security number, Driver’s '
'license or government-issued ID '
'numbers, Financial account '
'numbers, Biometric data, '
'Genetic information, Health '
'records']},
'date_detected': '2025-07-28',
'date_publicly_disclosed': '2025-11-21',
'description': 'Echo reported a data breach to the Attorney General of '
'Vermont, where sensitive personal identifiable information '
'(PII) in its care may have been compromised. Suspicious '
'activity was detected on July 28, 2025, prompting an '
'investigation. Unauthorized access occurred between July 25 '
'and July 28, 2025. The exact type of PII exposed remains '
'undisclosed as of November 24, 2025, but may include names, '
'Social Security numbers, driver’s license numbers, financial '
'account details, biometric data, genetic information, and '
'health records. Notification letters were mailed to affected '
'individuals on November 21, 2025, offering complimentary '
'credit monitoring services.',
'impact': {'data_compromised': ['Name',
'Social Security number',
'Driver’s license or other government-issued '
'ID card numbers (e.g., individual taxpayer '
'ID number, passport number, military ID card '
'number)',
'Financial account number or credit or debit '
'card number',
'Unique biometric data (e.g., fingerprint, '
'retina or iris image, or other unique '
'biometric representation)',
'Genetic information',
'Health record or records of a wellness '
'program or similar program of health '
'promotion or disease prevention (e.g., '
'healthcare professional’s medical diagnosis '
'or treatment of the consumer, health '
'insurance policy number)'],
'identity_theft_risk': 'Potential (due to exposed PII)',
'payment_information_risk': 'Potential (financial account numbers '
'or credit/debit card numbers may have '
'been exposed)',
'systems_affected': 'Certain computer systems within its network'},
'investigation_status': 'Ongoing (as of November 24, 2025, exact PII types '
'not yet disclosed)',
'references': [{'source': 'Vermont Attorney General - Echo Data Breach '
'Notice'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to the '
'Attorney General of '
'Vermont'},
'response': {'communication_strategy': 'Notification letters mailed to '
'affected individuals (November 21, '
'2025) with complimentary credit '
'monitoring services offered.',
'incident_response_plan_activated': True},
'threat_actor': 'Unauthorized third party',
'title': 'Echo Data Breach - July 2025',
'type': 'Data Breach'}