The Pennsylvania Attorney General's Office disclosed a data breach affecting Essential Wholesale & Labs on February 16, 2023. The incident stemmed from unauthorized code injected into the company’s website, leading to the potential exposure of sensitive customer data. Compromised information includes names, shipping addresses, payment card details, and email addresses for transactions conducted during two distinct periods: April 27 – May 22, 2022, and October 11 – November 5, 2022. While the total number of impacted individuals remains undisclosed, the breach confirmed exposure for at least five Rhode Island residents.The breach resulted from a website compromise, likely due to a vulnerability exploited to inject malicious code. The exposed data particularly payment card information poses significant risks, including financial fraud and identity theft. Although the company has not detailed the attack vector (e.g., third-party plugin, unpatched software), the incident underscores critical gaps in web security controls. No evidence suggests ransomware or a broader systemic attack, but the exposure of financial and personal identifiers elevates the severity due to the potential for downstream fraud and reputational harm. The company has not publicly confirmed whether the vulnerability has been remediated or if affected customers were notified beyond regulatory disclosures.
TPRM report: https://www.rankiteo.com/company/essential-labs
"id": "ess002091825",
"linkid": "essential-labs",
"type": "Breach",
"date": "5/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least 5 (Rhode Island '
'residents), total unspecified',
'name': 'Essential Wholesale & Labs',
'type': 'Business'}],
'attack_vector': 'Unauthorized code injection on website',
'data_breach': {'data_exfiltration': 'Potential (unauthorized code added to '
'website)',
'number_of_records_exposed': 'Unspecified (at least 5 Rhode '
'Island residents affected)',
'personally_identifiable_information': 'Yes (names, '
'addresses, email '
'addresses)',
'sensitivity_of_data': 'High (PII and payment card data)',
'type_of_data_compromised': ['Customer names',
'Shipping addresses',
'Payment card information',
'Email addresses']},
'date_publicly_disclosed': '2023-02-16',
'description': "The Pennsylvania Attorney General's Office reported a data "
'breach involving Essential Wholesale & Labs on February 16, '
'2023. The breach occurred when unauthorized code was added to '
"the company's website, potentially exposing customer names, "
'shipping addresses, payment card information, and email '
'addresses from purchases made between April 27 - May 22, '
'2022, and October 11 - November 5, 2022.',
'impact': {'data_compromised': ['Customer names',
'Shipping addresses',
'Payment card information',
'Email addresses'],
'identity_theft_risk': 'High (payment card and PII exposed)',
'payment_information_risk': 'High (payment card information '
'exposed)',
'systems_affected': ['Company website']},
'initial_access_broker': {'entry_point': 'Company website (unauthorized code '
'injection)',
'high_value_targets': ['Customer payment and PII '
'data']},
'references': [{'source': "Pennsylvania Attorney General's Office"}],
'regulatory_compliance': {'regulatory_notifications': 'Pennsylvania Attorney '
"General's Office"},
'response': {'law_enforcement_notified': 'Yes (Pennsylvania Attorney '
"General's Office)"},
'title': 'Data Breach at Essential Wholesale & Labs via Unauthorized Website '
'Code',
'type': 'Data Breach'}