On December 17, 2020, Custom Benefit Programs, Inc. (an Aon Company) experienced a data breach where an unauthorized individual accessed and improperly shared a file containing sensitive personal information of Thomson Reuters employees. The compromised data included highly confidential details such as names, addresses, Social Security numbers, and compensation information. The breach was reported to the California Office of the Attorney General on May 21, 2021. The exposure of Social Security numbers and compensation details poses significant risks, including identity theft, financial fraud, and reputational harm to the affected employees. Such data is highly valuable on the black market and can be exploited for malicious purposes over an extended period. The breach underscores vulnerabilities in the company’s data protection measures, particularly in safeguarding third-party employee information entrusted to them. While the immediate financial impact on the company may not be explicitly detailed, the long-term consequences—such as legal liabilities, regulatory fines, and erosion of trust among clients and partners—could be substantial. The incident also highlights the broader implications of supply-chain risks, where a breach at a service provider can directly impact unrelated organizations and their workforce.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-541189
TPRM report: https://www.rankiteo.com/company/wearenfp
"id": "wea524082125",
"linkid": "wearenfp",
"type": "Breach",
"date": "12/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thomson Reuters employees',
'industry': 'Insurance/Benefits Administration',
'name': 'Custom Benefit Programs, Inc. (an Aon '
'Company)',
'type': 'Service Provider'},
{'industry': 'Media/Information Services',
'name': 'Thomson Reuters',
'type': 'Corporation'}],
'data_breach': {'data_exfiltration': 'Yes (improperly shared with '
'unauthorized individual)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Employment/Compensation Data']},
'date_publicly_disclosed': '2021-05-21',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Custom Benefit Programs, Inc., an Aon '
'Company. The breach occurred when a file containing personal '
'information of Thomson Reuters employees was accessed and '
'improperly shared with an unauthorized individual. '
'Compromised data included names, addresses, social security '
'numbers, and compensation details.',
'impact': {'data_compromised': ['names',
'addresses',
'social security numbers',
'compensation details'],
'identity_theft_risk': 'High (PII exposed)'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Data Breach at Custom Benefit Programs, Inc. (an Aon Company) '
'Affecting Thomson Reuters Employees',
'type': 'Data Breach'}