TTC reported a data breach to the Attorney General of Maine, revealing that unauthorized third-party access occurred within its internal network between July 15 and July 26, 2025. The breach exposed sensitive personally identifiable information (PII) and protected health information (PHI), including names, addresses, dates of birth, government-issued IDs, financial account details, and health records. The incident was detected on July 21, 2025, prompting an investigation to assess the scope and affected individuals. By November 21, 2025, TTC began notifying impacted parties via mail, offering credit monitoring services as mitigation. The breach involved high-risk data categories, suggesting potential misuse for identity theft, financial fraud, or medical exploitation. The delayed disclosure (nearly four months post-detection) further amplifies reputational and regulatory risks, particularly under healthcare and financial data protection laws (e.g., HIPAA, state breach notification statutes).
Source: https://straussborrelli.com/2025/11/24/the-team-companies-data-breach-investigation/
NCI Technology Transfer Center cybersecurity rating report: https://www.rankiteo.com/company/ncitechtransfer
"id": "NCI1704517112525",
"linkid": "ncitechtransfer",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (notification letters '
'mailed to impacted individuals)',
'name': 'TTC',
'type': 'Organization'}],
'customer_advisories': ['Notification letters with details of exposed data '
'and credit monitoring services'],
'data_breach': {'data_exfiltration': 'Potential (unauthorized access '
'confirmed, but exfiltration not '
'explicitly stated)',
'personally_identifiable_information': ['Name',
'Address',
'Date of birth',
'Government-issued '
'identification '
'number',
'Financial account '
'information'],
'sensitivity_of_data': 'High (includes government-issued IDs, '
'financial, and health data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-07-21',
'date_publicly_disclosed': '2025-11-21',
'description': 'TTC reported a data breach to the Attorney General of Maine, '
'where unauthorized activity was detected in its internal '
'network on July 21, 2025. The investigation confirmed that '
'sensitive personal and protected health information may have '
'been accessed by an unauthorized third party between July 15 '
'and July 26, 2025. Affected individuals were notified '
'starting November 21, 2025, and offered complimentary credit '
'monitoring services.',
'impact': {'brand_reputation_impact': 'Potential negative impact due to '
'exposure of sensitive personal and '
'health data',
'data_compromised': ['Name',
'Address',
'Date of birth',
'Government-issued identification number',
'Financial account information',
'Health information'],
'identity_theft_risk': 'High (due to exposure of PII and '
'financial/health data)',
'payment_information_risk': 'High (financial account information '
'exposed)',
'systems_affected': ['Internal network']},
'initial_access_broker': {'high_value_targets': ['Sensitive personal and '
'health information']},
'investigation_status': 'Completed (as of November 2025)',
'references': [{'source': 'Attorney General of Maine - Breach Notice'}],
'regulatory_compliance': {'regulatory_notifications': ['Attorney General of '
'Maine']},
'response': {'communication_strategy': ['Notification letters mailed to '
'impacted individuals on 2025-11-21',
'Breach notice filed with the '
'Attorney General of Maine'],
'incident_response_plan_activated': True,
'recovery_measures': ['Credit monitoring services offered to '
'affected individuals']},
'threat_actor': 'Unauthorized third party',
'title': 'TTC Data Breach Involving Sensitive Personal and Health Information',
'type': 'Data Breach'}