On November 10, 2017, Quest Nutrition suffered a data breach due to unauthorized access to an employee’s email account. The incident exposed sensitive personal information of employees and partners, including names, addresses, usernames, passwords, driver’s license details, medical records, financial data, and Social Security numbers. The breach was not publicly disclosed until September 28, 2018, nearly a year later. The compromised data posed significant risks, such as identity theft, financial fraud, and potential misuse of medical and personally identifiable information (PII). The delay in notification further exacerbated concerns about the company’s incident response and data protection measures. The breach underscored vulnerabilities in securing employee credentials and the broader implications of third-party access to sensitive corporate systems.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-140248
TPRM report: https://www.rankiteo.com/company/quest-nutrition
"id": "que959091725",
"linkid": "quest-nutrition",
"type": "Breach",
"date": "11/2017",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Health & Wellness (Nutrition)',
'location': 'California, USA',
'name': 'Quest Nutrition',
'type': 'Company'}],
'attack_vector': 'Unauthorized Access (Employee Email Account)',
'data_breach': {'data_exfiltration': 'Likely (Unauthorized access to email '
'account)',
'personally_identifiable_information': ['Names',
'Addresses',
'Usernames',
'Passwords',
"Driver's License "
'Numbers',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial Data']},
'date_detected': '2017-11-10',
'date_publicly_disclosed': '2018-09-28',
'description': 'The California Office of the Attorney General reported that '
'Quest Nutrition experienced a data breach on November 10, '
'2017, affecting personal information of employees and '
'partners. The breach resulted from unauthorized access to an '
'employee email account, potentially compromising names, '
"addresses, usernames, passwords, driver's license "
'information, medical information, financial data, and Social '
'Security numbers.',
'impact': {'data_compromised': ['Names',
'Addresses',
'Usernames',
'Passwords',
"Driver's License Information",
'Medical Information',
'Financial Data',
'Social Security Numbers'],
'identity_theft_risk': 'High (PII and sensitive data exposed)',
'payment_information_risk': 'Potential (Financial data '
'compromised)',
'systems_affected': ['Employee Email Account']},
'initial_access_broker': {'entry_point': 'Employee Email Account'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential violation of '
'California Data Breach '
'Notification Law (Civil '
'Code § 1798.29 et seq.)',
'Potential HIPAA violation '
'(if medical data was '
'unsecured PHI)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public Disclosure (2018-09-28)',
'law_enforcement_notified': 'Yes (Reported to California Office '
'of the Attorney General)'},
'title': 'Quest Nutrition Data Breach (2017)',
'type': 'Data Breach'}