On July 30, 2013, Exelixis experienced a data breach due to the theft of company equipment containing sensitive personal information. The compromised data included names, addresses, birth dates, financial account numbers, and Social Security numbers of an unspecified number of individuals. While the theft occurred, there has been no confirmed evidence of unauthorized access or misuse of the stolen data as of the report by the California Office of the Attorney General on August 16, 2013. The incident highlights vulnerabilities in physical security controls, as the breach stemmed from the loss of hardware rather than a direct cyber intrusion. The potential risk remains significant given the nature of the exposed data, which could facilitate identity theft or financial fraud if exploited by malicious actors.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-42478
TPRM report: https://www.rankiteo.com/company/exelixis
"id": "exe953091725",
"linkid": "exelixis",
"type": "Breach",
"date": "7/2013",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Unknown',
'industry': 'Biotechnology/Pharmaceuticals',
'location': 'California, USA',
'name': 'Exelixis',
'type': 'Corporation'}],
'attack_vector': 'Theft of Company Equipment',
'data_breach': {'data_exfiltration': 'No (physical theft; no confirmed '
'unauthorized access)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': ['Names',
'Addresses',
'Birth Dates',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High (includes SSNs and financial '
'account numbers)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data']},
'date_detected': '2013-07-30',
'date_publicly_disclosed': '2013-08-16',
'description': 'On August 16, 2013, the California Office of the Attorney '
'General reported a data breach involving Exelixis that '
'occurred on July 30, 2013. The breach involved the theft of '
'company equipment containing personal data, including names, '
'addresses, birth dates, financial account numbers, and social '
'security numbers, although no actual access or misuse of the '
'data has been reported. The number of individuals affected is '
'unknown.',
'impact': {'data_compromised': ['Names',
'Addresses',
'Birth Dates',
'Financial Account Numbers',
'Social Security Numbers'],
'identity_theft_risk': 'Potential (no confirmed misuse)',
'payment_information_risk': 'Potential (financial account numbers '
'exposed)'},
'initial_access_broker': {'entry_point': 'Physical theft of equipment'},
'investigation_status': 'No confirmed misuse of data reported',
'post_incident_analysis': {'root_causes': 'Inadequate physical security '
'controls for equipment containing '
'sensitive data'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Exelixis Data Breach via Theft of Company Equipment (2013)',
'type': 'Data Breach (Physical Theft)'}