On January 30, 2023, Brightline, Inc. experienced a data breach due to unauthorized access to its GoAnywhere MFT Software-as-a-Service (SaaS) platform by an external threat actor. The incident was publicly disclosed by the California Office of the Attorney General on May 10, 2023. The breach exposed sensitive personal information of individuals, including names and Social Security numbers (SSNs). While the exact number of affected individuals remains undisclosed, the compromise of such high-value data—particularly SSNs—poses significant risks, including identity theft, financial fraud, and long-term reputational harm to the company. The breach stemmed from a vulnerability in the third-party file-transfer service, highlighting supply-chain security risks. Brightline, a mental health services provider for children and families, faces potential regulatory scrutiny under state data protection laws (e.g., CCPA) and may incur costs related to notifications, credit monitoring, and legal liabilities. The incident underscores the critical need for robust access controls and vendor risk management in healthcare-adjacent sectors.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-566585
TPRM report: https://www.rankiteo.com/company/hellobrightline
"id": "hel440082125",
"linkid": "hellobrightline",
"type": "Breach",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown',
'location': 'California, USA',
'name': 'Brightline, Inc.',
'type': 'Organization'}],
'attack_vector': 'Unauthorized Access (GoAnywhere MFT SaaS)',
'data_breach': {'data_exfiltration': 'Potential',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': ['Names',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High (includes SSNs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2023-01-30',
'date_publicly_disclosed': '2023-05-10',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Brightline, Inc. on May 10, 2023. The breach '
'occurred on January 30, 2023, due to unauthorized access to '
'the GoAnywhere MFT Software-as-a-Service by an unauthorized '
'party, potentially compromising various personal information '
'of individuals, including names and Social Security numbers. '
'The number of individuals affected is currently unknown.',
'impact': {'data_compromised': ['Names', 'Social Security Numbers'],
'identity_theft_risk': 'Potential (due to SSN exposure)',
'systems_affected': ['GoAnywhere MFT SaaS']},
'initial_access_broker': {'entry_point': 'GoAnywhere MFT SaaS'},
'references': [{'date_accessed': '2023-05-10',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Brightline, Inc. Data Breach via GoAnywhere MFT SaaS Unauthorized '
'Access',
'type': 'Data Breach'}