Vice Media data breach included financial data


Unauthorized access to Vice Media’s internal email account might have exposed user personal identifiers and credit card numbers.

Vice Media sent out letters to users who might have their sensitive data exposed in a data breach involving the media company. Vice’s filings with Maine’s Attorney General show that over 1,700 people were affected by the breach.

According to the breach notification, unauthorized access to Vice’s systems might have exposed users’ financial account number or payment card number “in combination with security code, access code, password or PIN for the account.”

ADVERTISEMENT

Vice noted unusual activity in its systems on March 29, 2022, and proceeded to secure the company’s networks and engage cybersecurity companies to investigate the nature of the incident.

“The investigation revealed that there may have been unauthorized access to an internal Vice email account. Following a thorough review of the information contained in the email account, we determined that some of your personal information may have been contained within the account,” Vice said in a letter to affected users.

The company said it finalized the investigation and obtained the addresses of affected users to contact them on January 25, 2023, ten months after the breach was discovered.

Cybersecurity experts criticize companies for taking months to notify customers that threat actors might have accessed their data. While breached companies conduct internal investigations, threat actors may use leaked data to carry out attacks.

However, companies don’t rush to contact users whose data they expose. For example, Five Guys, a popular American fast-food chain, informed its employees that threat actors might have accessed their Social Security numbers (SSNs) three months after the breach was discovered.

Nissan North America lingered for six months before issuing a data breach notification to over 18k users with their names and birth dates exposed. Lutheran Social Services of Illinois (LSSI) took a whole year to inform customers that attackers might have accessed their SSNs, financial account information, driver’s license numbers, biometric information, and medical records.

Vice somewhat downplayed the incident in the letter to affected users, saying they’re being contacted “out of an abundance of caution,” The company pointed out there’s no evidence that data was disclosed.

ADVERTISEMENT