The sensitive personal information of employees and former employees of U.S. Residential Group may have been stolen after a company email account was taken over in a phishing attack.
U.S. Residential, a property management company based in Dallas, disclosed the phishing attack on Friday, and warned its employees and former employees that they may be at risk of identity theft.
According to the company, an “unauthorized individual” obtained user credentials for a company email account via a phishing attack.
The “unauthorized individual” then logged into the account and began using it. While using the account, the individual may have had access to “certain files” stored in the account, including files with highly sensitive personal data.
According to the company, the unauthorized individual may have been able to access certain employee information including: names, Social Security numbers, business financial account numbers, driver’s license or government identification numbers, and in some cases medical or health insurance information and identifiers.
In a post on the company’s website, U.S. Residential said that the compromised email account was also used to send and receive information about some of the company’s employees. In some cases, this information included Social Security numbers, the company said.
The company said that it is not aware of any fraud or misuse of the compromised information as of yet, but investigations into the matter are ongoing.
Upon discovering the breach, U.S. Residential said that it contacted a third-party forensic computer firm to determine what information was impacted.
Additionally, the company said that it contacted law enforcement, including the FBI, and is cooperating with all investigations into the breach.
The company also said that it has taken steps to prevent an incident like this from happening again in the future, including working to improve its employees’ awareness of phishing attacks by enhancing the company’s security awareness training and education, and launching simulated phishing attacks.
The company said that it is also partnering with an “industry-leading security technologies firm” to implement additional tools to help protect employees’ information.
While the company said that there is no evidence of fraud or identity theft at this point, it will still offer one year of complimentary fraud resolution and identity protection services to all individuals who may have been impacted.
“U.S. Residential takes the privacy and protection of personal information very seriously, and deeply regrets that this incident occurred,” the company said in a statement. “We take the security of our current and former employees’ information very seriously, and we deeply regret any concern this may cause.”