The Maine Office of the Attorney General disclosed on March 11, 2024, that Four Seasons Service & Sales, Inc. suffered a data breach due to unauthorized malicious code injected into their website (fstanning.com). The breach was detected on February 15, 2024, but had been active since January 17, 2024, exposing sensitive data of two Maine residents. The compromised information included names, addresses, and payment card details, which are highly sensitive for financial fraud. While the breach was limited in scope (affecting only two individuals), the exposure of payment card data poses significant risks, including potential fraudulent transactions, identity theft, or misuse of financial information. The incident highlights vulnerabilities in the company’s website security, particularly against code injection attacks, which allowed threat actors to exfiltrate customer data over nearly a month before detection. Although the breach did not result in a large-scale data leak, the nature of the stolen data (payment cards) aligns with financial and reputational harm, as such incidents often lead to customer distrust, regulatory scrutiny, and potential legal liabilities. The company may face compliance penalties under data protection laws, further amplifying the impact beyond the immediate financial risks to the affected individuals.
TPRM report: https://www.rankiteo.com/company/four-seasons-sales-&-service
"id": "fou1022090725",
"linkid": "four-seasons-sales-&-service",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 2,
'name': 'Four Seasons Service & Sales, Inc.',
'type': 'Business'}],
'attack_vector': 'Unauthorized code injection on website',
'data_breach': {'data_exfiltration': 'Likely (data compromised)',
'number_of_records_exposed': 2,
'personally_identifiable_information': ['names', 'addresses'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['personal identifiable '
'information (PII)',
'payment card data']},
'date_detected': '2024-02-15',
'date_publicly_disclosed': '2024-03-11',
'description': 'The Maine Office of the Attorney General reported that Four '
'Seasons Service & Sales, Inc. experienced a data breach due '
'to unauthorized code placed on their website (fstanning.com). '
'The breach affected two Maine residents, compromising names, '
'addresses, and payment card information.',
'impact': {'data_compromised': ['names',
'addresses',
'payment card information'],
'identity_theft_risk': 'High (payment card information exposed)',
'payment_information_risk': 'High',
'systems_affected': ['fstanning.com (website)']},
'initial_access_broker': {'entry_point': 'Website (fstanning.com)',
'high_value_targets': ['payment card data']},
'post_incident_analysis': {'root_causes': 'Unauthorized code injection on '
'website'},
'references': [{'date_accessed': '2024-03-11',
'source': 'Maine Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Office of the '
'Attorney General']},
'response': {'communication_strategy': 'Public disclosure via Maine Office of '
'the Attorney General'},
'title': 'Data Breach at Four Seasons Service & Sales, Inc. via Unauthorized '
'Website Code',
'type': 'Data Breach'}