EFG Companies breached through third-party VPN


A breach affecting Enterprise Financial Group (EFG) has exposed the personal information of almost 20,000 clients.

The Texas-based auto insurance and financial services company said it became aware of a security incident impacting its internal systems on February 18th earlier this year.

It said it had taken action to investigate, contain, and eradicate the incident with the assistance of external cybersecurity experts.

ADVERTISEMENT

The investigation concluded on July 15th and found that the incident occurred due to “unknown vulnerabilities” affecting a third-party VPN appliance.

“We have since implemented all available patches and continue to work closely with the third-party provider to mitigate any future risks,” EFG said in a letter to clients.

It said files copied from the company’s environment contained at least part of the following client information:

  • full name;
  • social security number;
  • driver's license number;
  • passport number;
  • bank account or payment card numbers;
  • medical information, and/or insurance information.

EFG said there was no evidence suggesting that the exposed information was or would be misused.

The firm also said it applied a patch provided by the third-party VPN provider and then “fully replaced the third-party VPN appliance as a precaution to prevent further potential disclosures of information.”

It did not name the VPN provider.

ADVERTISEMENT