Consolidated Electrical Distributors (“CED”) acquired certain assets of Sun Valley Electric and Energy Electrical Distribution from Warner Holdings, LLC (said acquisition closed on May 6, 2019). The email system CED received from Warner Holdings, LLC was compromised prior to the acquisition, unbeknownst to the parties, and access to the email system was gained by an unknown actor as early as April 26, 2019, when it was still owned by Warner Holdings, LLC.
On or about July 11, 2019, CED became aware of unusual activity in certain employee email accounts. CED launched an investigation with the assistance of a third-party forensic investigator to determine the full nature and scope of what occurred. Through this investigation, CED determined that an unknown actor gained access to these email accounts between April 26, 2019, and July 22, 2019. The email credentials were changed, and the email accounts are secure.
The content of the accounts was reviewed through a time-consuming manual and programmatic process to determine what sensitive data may have been accessible. CED confirmed the types of protected information contained in the affected email accounts and the locations of the individuals and businesses to which the information relates. Although CED is unaware of any actual or attempted misuse of any information, CED is providing notification of this incident out of an abundance of caution.
While, to date, the investigation has found no evidence of actual or attempted misuse of data, CED did determine that the email accounts affected by this incident may include name, payment card information, Social Security number, financial account information, date of birth, passport number, driver’s license or another government-issued ID number, treatment information, health insurance information, prescription or medication information, provider information, patient account number, and/or username and password.
Upon learning of this incident, CED reset account passwords and quickly took steps to determine the content of the impacted accounts and identify the potentially impacted individuals and entities. CED will also notify the necessary regulatory bodies. In an abundance of caution, CED is notifying notice to potentially impacted individuals and entities. Additionally, while we have safeguards in place to protect data in our care, we are working to review and enhance these protections as part of an ongoing commitment to data privacy and security.