CBIZ Discloses Data Breach Caused by a Web Page Vulnerability
CBIZ Benefits & Insurance Services (CBIZ), a leading provider of financial, benefits, and insurance services, has disclosed a data breach that impacted nearly 36,000 individuals. The breach occurred between June 2 and June 21, 2024, when an unauthorized party exploited a vulnerability in one of CBIZ’s web pages to access sensitive customer data.
“On June 24, 2024, CBIZ learned that an unauthorized party may have acquired information from certain databases,”
“CBIZ’s investigation determined that an unauthorized party was able to exploit a vulnerability associated with one of its web pages and acquired information from certain databases between June 2, 2024, and June 21, 2024,”
Stolen Data Includes Sensitive Personal Information
The stolen data included:
- Name
- Contact details
- Social Security number
- Date of birth/death
- Retiree health information
- Welfare plan information
CBIZ, one of the largest professional services companies in the United States, operates 120 offices across the country and employs 6,700 people. In 2023, it recorded a revenue of $1.59 billion.
CBIZ Notifies Affected Clients and Offers Credit Monitoring
CBIZ clients confirmed to have been impacted by this incident started to receive personalized notifications on August 28, 2024.
While the company has no evidence that data stolen in the data breach has been misused, CBIZ provides guidance on how to enroll in a two-year credit monitoring and identity theft protection service to reduce potential risk.
Additionally, impacted clients are advised to consider placing a credit/security freeze and adding a fraud alert to their credit report.
Potential Impact and Cybersecurity Implications of CBIZ Data Breach
This data breach highlights the ongoing threat of cyberattacks targeting businesses and the importance of robust cybersecurity measures. The exploitation of a web page vulnerability underscores the need for organizations to prioritize security across all their online platforms.
CBIZ’s disclosure of the breach and proactive steps to mitigate potential harm to affected individuals are commendable. However, this incident serves as a reminder for businesses to regularly assess their cybersecurity posture and implement measures to protect sensitive customer data.