Four parallel data breach lawsuits have been filed against a 45-year-old background check services company based in Massachusetts.
Creative Services, Inc. (CSI), located in Mansfield, provides background screening, drug testing and security consulting services to employers, institutions and governments in the United States and overseas.
According to an official filing by the company, on November 26 2021, CSI detected suspicious activity on its computer systems. The company then learned that an unauthorized individual had gained access to the company’s network and may have copied certain files dating from November 2018 to November 2021.
By the end of January 2022, an investigation into the activity had revealed that personal identifying information (PII) belonging to CSI’s clients had been compromised in the security incident. Data impacted by the incident included names, dates of birth, financial account numbers, Social Security numbers and driver’s license numbers
In February 2022, CSI began mailing out data breach notification letters to individuals whose information was contained in the breached files. As many as 164,673 individuals may have been impacted by the breach.
“We take this incident and the security of personal information seriously,” said CSI in a notice of data privacy incident letter.
“While we have existing safeguards in place, as part of our ongoing commitment to the privacy of personal information in our care, we are working to implement enhanced security measures.”
CSI offered complimentary access to 24 months of credit monitoring, fraud consultation and identity theft restoration services to impacted individuals.
The company’s breach discovery came two months after CSI notified over a thousand individuals that their PII had been obtained by unauthorized persons in a separate data security incident.
Earlier this month, four lawsuits were filed, each attempting to establish a class-action case against CSI. The plaintiffs alleged that the company failed to effectively protect the PII of the people whose backgrounds it was hired to check.
In the most recently filed suit, plaintiff Santos Acosta of New York accuses CSI of “recklessly or negligently failing to implement and maintain adequate and reasonable measures to ensure that the PII was safeguarded.”
Acosta further claims that CSI failed to follow appropriate policies and procedures regarding the data encryption.