Osaic

The California Office of the Attorney General disclosed a data breach affecting Osaic, stemming from a systems intrusion at its third-party vendor, R.R. Donnelley & Sons Company, on December 23, 2021. The incident exposed sensitive personal information, including names, addresses, and Social Security numbers of an undisclosed number of individuals. The breach was reported publicly on August 17, 2023, highlighting a delayed discovery or notification timeline. The compromised data suggests a high-risk scenario where personally identifiable information (PII) was accessed by unauthorized actors, potentially enabling identity theft, financial fraud, or targeted phishing attacks. The involvement of a vendor introduces additional complexity, as the breach originated outside Osaic’s direct control, raising concerns about supply chain security and the adequacy of third-party risk management protocols. The lack of clarity on the number of affected individuals further complicates risk assessment and response efforts.

Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-572025

TPRM report: https://www.rankiteo.com/company/osaicinc

"id": "osa1014090725",
"linkid": "osaicinc",
"type": "Breach",
"date": "12/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Unknown',
                        'industry': 'Wealth Management',
                        'location': 'United States (California)',
                        'name': 'Osaic',
                        'type': 'Financial Services'},
                       {'industry': 'Printing & Business Communications',
                        'location': 'United States',
                        'name': 'R.R. Donnelley & Sons Company',
                        'type': 'Vendor'}],
 'attack_vector': 'Systems Intrusion (via Third-Party Vendor)',
 'data_breach': {'data_exfiltration': 'Potential',
                 'number_of_records_exposed': 'Unknown',
                 'personally_identifiable_information': ['Names',
                                                         'Addresses',
                                                         'Social Security '
                                                         'Numbers'],
                 'sensitivity_of_data': 'High (PII including SSNs)',
                 'type_of_data_compromised': ['Personal Information']},
 'date_detected': '2021-12-23',
 'date_publicly_disclosed': '2023-08-17',
 'description': 'The California Office of the Attorney General reported a data '
                'breach involving Osaic on August 17, 2023. The breach, which '
                'occurred on December 23, 2021, involved a systems intrusion '
                'at a vendor, R.R. Donnelley & Sons Company, potentially '
                'exposing personal information including names, addresses, and '
                'social security numbers; the number of affected individuals '
                'is currently unknown.',
 'impact': {'data_compromised': ['Names',
                                 'Addresses',
                                 'Social Security Numbers'],
            'identity_theft_risk': 'Potential (due to exposed PII)'},
 'references': [{'date_accessed': '2023-08-17',
                 'source': 'California Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'California Office of '
                                                       'the Attorney General'},
 'response': {'communication_strategy': 'Public disclosure via California '
                                        'Office of the Attorney General'},
 'title': 'Data Breach at Osaic via Vendor R.R. Donnelley & Sons Company',
 'type': 'Data Breach'}