Hackers steal PII and payment info of thousands of California residents in company breach

The Social Security numbers and payment information of 5,678 California residents may be at risk in an incident involving the Corporation Service Company.

A Delaware company that provides business, legal and brand services is notifying several thousand California residents that their personally identifiable information was stolen by hackers who accessed the company’s network.

The Corporation Service Company sent a notice through legal representatives on Thursday to the California attorney general’s office informing it of the incident along with a copy of the letter it is sending to 5,678 affected customers. California law requires organizations to send such notifications to any resident whose data is accessed by an unauthorized party.

It’s not clear from the notice if the incident affected customers outside of California. CSC — which says Fortune 500 companies, law firms and large banks are among its clients — did not respond to a request for comment.

CSC discovered “during routine security monitoring,” that an unauthorized third party accessed its network, the notice says. The company says that it determined on April 5 that “an unknown actor” exfiltrated files containing  some clients’ names, Social Security numbers and credit or debit card information. The incident occurred on Nov. 25, 2017, the company says. The notice does not specify how the unauthorized access occurred.


The company says it collects certain PII when provides its clients with agent for service-of-process services, which involves companies designating a third party to receive lawsuits and other documents on their behalf.

CSC says that it initiated “incident response and mitigation activities” once it learned of the incident, bringing in two independent cybersecurity firms and coordinating with law enforcement. CSC did not specify which cybersecurity firms it hired.

The company says it’s also implementing enhanced security protocols, including two-factor authentication of some customer and internal services, expanding firewalls, requiring employees to have 16-character passwords, and other things. Some of these measures were already in place, the notice says.

In addition to notifying affected individuals, CSC says it’s offering them with a year of free credit monitoring services.

Latest Podcasts