The Maine Office of the Attorney General disclosed a data breach affecting Sugar Steel Corporation between December 8–22, 2020, reported on September 17, 2021. Unauthorized actors gained access to employee email accounts, compromising the personal information of 6,276 individuals, including at least two Maine residents. The exposed data included names, addresses, and Social Security numbers (SSNs) highly sensitive identifiers that elevate risks of identity theft, financial fraud, or targeted phishing attacks. While the breach primarily impacted internal systems (employee accounts), the scale of affected individuals and the nature of the stolen data (SSNs) suggest a systemic vulnerability in access controls or email security protocols. The delayed public disclosure (nearly 9 months after the incident) further raises concerns about incident response timelines and transparency. No evidence was provided regarding ransomware demands or broader operational disruptions, but the exposure of employee-linked PII aligns with patterns of credential-based attacks exploiting weak authentication or social engineering.
TPRM report: https://www.rankiteo.com/company/sugar-steel-corp.
"id": "sug035090625",
"linkid": "sugar-steel-corp.",
"type": "Breach",
"date": "12/2020",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '6,276',
'name': 'Sugar Steel Corporation',
'type': 'Corporation'},
{'industry': 'Legal/Regulatory',
'location': 'Maine, USA',
'name': 'Maine Office of the Attorney General',
'type': 'Government'}],
'attack_vector': 'Unauthorized Access (Email Account Compromise)',
'data_breach': {'data_exfiltration': 'Likely (unauthorized access to email '
'accounts)',
'number_of_records_exposed': '6,276',
'personally_identifiable_information': ['Names',
'Addresses',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2021-09-17',
'description': 'The Maine Office of the Attorney General reported a data '
'breach involving Sugar Steel Corporation. The breach occurred '
'between December 8, 2020, and December 22, 2020, and involved '
'unauthorized access to employee email accounts, potentially '
'affecting the personal information of two Maine residents '
'(among 6,276 total affected individuals), including names, '
'addresses, and Social Security numbers.',
'impact': {'data_compromised': ['Names',
'Addresses',
'Social Security Numbers'],
'identity_theft_risk': 'High (PII exposed)',
'systems_affected': ['Employee Email Accounts']},
'initial_access_broker': {'entry_point': 'Employee Email Accounts'},
'references': [{'date_accessed': '2021-09-17',
'source': 'Maine Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Maine Office of the '
'Attorney General'},
'response': {'communication_strategy': 'Public Disclosure via Maine AG '
'Office'},
'title': 'Sugar Steel Corporation Data Breach (2020)',
'type': 'Data Breach'}