NICO Corporation

The Vermont Office of the Attorney General disclosed a data breach affecting NICO Corporation, stemming from a vulnerability in the MOVEit software platform. The incident, which occurred on November 30, 2023, was reported on January 17, 2024. The breach exposed sensitive personal information of current and former employees, including names, dates of birth, and Social Security numbers. Approximately 250 individuals were potentially impacted. The exposure was linked to an exploit in MOVEit, a widely used file-transfer tool, which had been targeted by cybercriminals in a broader campaign. While the exact method of exploitation was not detailed, the breach highlights risks associated with third-party software vulnerabilities. No evidence of misuse of the stolen data has been confirmed, but the exposed information could facilitate identity theft or fraud. NICO Corporation has likely initiated notifications to affected individuals and may be implementing remediation measures, including credit monitoring services and security enhancements to prevent future incidents.

Source: https://ago.vermont.gov/document/2024-01-17-nico-corporation-progress-software-moveit-data-breach-notice-consumers

TPRM report: https://www.rankiteo.com/company/nico-neuro-and-spine

"id": "nic219090725",
"linkid": "nico-neuro-and-spine",
"type": "Vulnerability",
"date": "11/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'customers_affected': '0',
                        'name': 'NICO Corporation',
                        'type': 'Corporation'}],
 'attack_vector': 'Exploitation of Software Vulnerability (MOVEit)',
 'data_breach': {'data_exfiltration': 'Likely',
                 'number_of_records_exposed': '250',
                 'personally_identifiable_information': ['names',
                                                         'dates of birth',
                                                         'social security '
                                                         'numbers'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)']},
 'date_publicly_disclosed': '2024-01-17',
 'description': 'The Vermont Office of the Attorney General reported a data '
                'breach involving NICO Corporation, related to a vulnerability '
                'in the MOVEit software platform. The breach occurred on '
                'November 30, 2023, and may have affected current and former '
                "employees' names, dates of birth, and social security "
                'numbers. Approximately 250 individuals may have been impacted '
                'by this incident.',
 'impact': {'data_compromised': ['names',
                                 'dates of birth',
                                 'social security numbers'],
            'identity_theft_risk': 'High (PII exposed)',
            'systems_affected': ['MOVEit software platform']},
 'references': [{'date_accessed': '2024-01-17',
                 'source': 'Vermont Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'Vermont Office of the '
                                                       'Attorney General'},
 'response': {'communication_strategy': 'Public disclosure via Vermont Office '
                                        'of the Attorney General'},
 'title': 'NICO Corporation Data Breach via MOVEit Vulnerability',
 'type': 'Data Breach',
 'vulnerability_exploited': 'MOVEit software vulnerability'}