C.R. England today announced it is notifying the final group of individuals potentially impacted by a data security incident previously publicly disclosed when the company initiated notification in May 2022. The final group includes a small number of former employees for whom C.R. England has concluded it has no correct mailing address and who cannot be reached other than through substitute notice. The number of individuals within the substitute notice group is included in, and not in addition to, the total number of potentially impacted individuals identified in prior media reports.
On October 30, 2021, the company discovered unauthorized activity on its systems. In response, the company immediately began containment, mitigation, and restoration efforts to terminate the activity and to secure its network, systems, and data. In addition, C.R. England retained independent cybersecurity experts to conduct a forensic investigation into the incident and assist in determining what happened. The forensic investigation determined that there was unauthorized access to certain files stored within C.R. England’s systems. Based on these findings, C.R. England reviewed the affected files to identify the individuals whose personal information may have been impacted by this incident and the categories of information involved for each individual.
On April 20, 2022, C.R. England determined that the affected files contained information relating to some of its current and former employees. C.R. England then worked diligently to identify current address information necessary to notify affected individuals of the incident. C.R. England began notifying affected individuals for whom C.R. England was able to identify correct address information on May 23, 2022.
Despite exhaustive efforts, C.R. England was unable to find current or correct address information for a portion of the individuals who it believes may have been impacted by the incident, and as such, C.R. England is providing those individuals with substitute notice.
At this time, C.R. England has no verified evidence that any personal information was published, shared, or misused as a result of this incident. Nevertheless, C.R. England is providing substitute notice of the incident and providing resources to help those who may have been affected to protect their information. The information involved for each affected individual varied but may have included the following data elements: name, address, date of birth, Social Security number, license number, individual taxpayer identification number, or health-related information.