Ryan Specialty Group (RSG) has posted a notice indicating that it has suffered a data security breach, which may have compromised some individuals’ personal information.
The company reported that around April 17, 2021, it became aware of “unusual activity” related to certain employee email accounts. RSG immediately launched an investigation into the activity, later determining on April 27, 2021 that the email accounts were accessed without authorization between April 04, 2021 and April 20, 2021.
In its notice, RSG said that its investigation was unable to determine whether any specific emails in those accounts were access or viewed. But out of caution, the firm completed a “programmatic and manual review” of the contents of the potentially affected email accounts to determine if any sensitive information was present during the time of the incident. This process was completed on June 30, 2021.
After reviewing the contents of the email accounts, RSG determined that “certain personal information” for “a limited number of individuals” was present in the email accounts, however, the company could not ascertain if they were accessed by the unauthorized user.
While it could not confirm whether the information was actually accessed by an unauthorized user, RSG did indicate in its notice that the information within the affected email accounts during the period included certain individuals’ names, driver’s license numbers, Social Security numbers, financial account information, passport numbers, medical information, health insurance information, government-issued identification numbers, tax identification numbers, username/email and password, and dates of birth.
RSG quickly secured the potentially compromised accounts by resetting their passwords, blocking potentially malicious IP addresses, removing any suspicious emails, and even removed suspicious rules within the mailboxes. The company also opened investigations with its email solutions and managed services providers, and has announced that it would review existing security policies to prevent a similar event in the future.
The company said that it is “providing notice to potentially impacted individuals out of an abundance of caution.” RSG will also be offering the affected access to complimentary credit monitoring and identity protection services for 24 months.