Cementitious Vendor—CGM—Network Compromised by 315k Data Breach
Table of Contents
- By Steven
- Published: Feb 21, 2024
- Last Updated: Feb 23, 2024
Based in Philadelphia, Pennsylvania, CGM is a nationwide cementitious vendor for industries and construction projects. They are a leader in manufacturing, labeling, and distributing custom cement and patching products. CGM also offers solutions for dry cementitious powders, construction liquids, and options for epoxy resins. At their physical facility, they process and package concrete construction products for their vast range of clients. These clients may now be at risk for data misuse following a 2022 data breach—an attack projected to impact as many as 315,346 individuals.
How Did the Attack Occur?
The public can find details about the event via the Maine Attorney General’s breach filing since no statements or press releases are available on the CGM website. Maine has also published a sample consumer notice and updated event timeline as part of the filing. Regarding the attack itself, there is little detail available; the (ongoing) investigations determined that an unauthorized actor accessed the system, copied files, and presumably left before officials were aware. How the assailant accessed the systems is not indicated, which could suggest system vulnerabilities or network permissions misconfigurations.
What Information Was Viewed or Stolen?
The breach filing and the consumer notice list the same information as being impacted by this event—victims’ names and state ID numbers (or driver’s license numbers). Additionally, the consumer notice does not indicate who the “data owner” is. At the same time, while individuals own their data, the notice suggests that the information compromised in this event belongs to a third party. If this is the case, this event could cause a landslide of consequences for their clients.
How Did CGM Admit to the Breach?
According to the timeline presented in the consumer notices, the unauthorized actor accessed CGM’s systems from December 15th to December 28th, 2022. On or around December 28th, officials observed unusual activity within their network and launched a response to the threat. The preliminary investigation finished around March 23rd, 2023, with officials notifying impacted data owners of the event sometime in April 2023. Officials sent the first wave of individual notices around June 7th, 2023. A secondary data specialist reportedly completed an additional investigation around December 18th, 2023—and CGM notified further impacted parties around December 21st, 2023. Officials sent the second wave of notices around February 14th, 2024.
What Will Become of the Stolen Information?
The data compromised in this event may have many uses for a cybercriminal. They could misuse the data for impersonations or identity theft, and alternatively, the data could be for credential stuffing. Victims with ties to small businesses and other vendors have an exceptionally high risk for further victimization through credential stuffing and spear phishing. The best choice impacted parties have for responding to this event is taking action.
What Should Affected Parties Do in the Aftermath of the Breach?
CGM’s breach happened more than a year ago—there’s no telling what happened to the stolen data. The assailants could have sold it online, or they might have begun other criminal schemes with it; however, this doesn’t mean victims can’t do anything to protect themselves. Victims should reset their passwords and change their usernames wherever possible, enabling multi-factor authentications one one-time tokens. They should also consider account monitoring services for those accounts they can’t check daily. CGM’s attack may have happened more than a year ago, but victims still have time to implement account takeover prevention measures to protect their data from misuse.
