On April 5, 2024, the Vermont Office of the Attorney General disclosed a data breach affecting Tandym Group, LLC, initially detected on May 18, 2023. The incident stemmed from unauthorized access to an employee’s email account, exposing sensitive personal information, including Social Security numbers (SSNs) and names of at least 10 Rhode Island residents. While the full scope of the breach remains undisclosed, the compromise of SSNs highly sensitive identifiers poses significant risks, such as identity theft, financial fraud, or targeted phishing attacks against the affected individuals.The breach highlights vulnerabilities in email security protocols, potentially due to weak authentication, phishing, or insufficient monitoring. Given the nature of the exposed data (SSNs), the incident could lead to long-term reputational damage for Tandym Group, regulatory scrutiny under data protection laws (e.g., state breach notification statutes), and financial liabilities from remediation efforts (e.g., credit monitoring for victims). The delayed public disclosure (nearly a year post-discovery) may further exacerbate trust issues with clients and partners.No evidence suggests the breach involved ransomware or a broader systemic attack, but the leak of employee-managed sensitive data underscores the need for stricter access controls and employee cybersecurity training to prevent similar incidents.
Source: https://ago.vermont.gov/document/2024-04-05-tandym-group-data-breach-notice-consumers
TPRM report: https://www.rankiteo.com/company/tandym
"id": "tan1011090725",
"linkid": "tandym",
"type": "Breach",
"date": "5/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '10 (Rhode Island residents)',
'name': 'Tandym Group, LLC',
'type': 'Private Company'}],
'attack_vector': 'Compromised Email Account',
'data_breach': {'number_of_records_exposed': 'At least 10',
'personally_identifiable_information': ['Social Security '
'numbers',
'Names'],
'sensitivity_of_data': 'High (includes SSNs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2023-05-18',
'date_publicly_disclosed': '2024-04-05',
'description': "Unauthorized access to an employee's email account at Tandym "
'Group, LLC, potentially compromising sensitive information '
'such as Social Security numbers and names. The breach was '
'identified on May 18, 2023, and reported by the Vermont '
'Office of the Attorney General on April 5, 2024. At least 10 '
'Rhode Island residents were affected.',
'impact': {'data_compromised': ['Social Security numbers', 'Names'],
'identity_theft_risk': 'High (SSNs exposed)',
'systems_affected': ['Employee Email Account']},
'initial_access_broker': {'entry_point': 'Employee Email Account'},
'references': [{'date_accessed': '2024-04-05',
'source': 'Vermont Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Vermont Office of the '
'Attorney General']},
'response': {'communication_strategy': 'Public disclosure via Vermont Office '
'of the Attorney General'},
'title': 'Tandym Group, LLC Data Breach (2023)',
'type': 'Data Breach'}