Young Consulting’s cybersecurity woes continue after the number of affected individuals from last year’s suspected ransomware raid passed the 1 million mark.

The software vendor to stop-loss insurance carriers, now trading as Connexure, said the attack took place sometime between April 10 and 13, 2024, in a data breach notice that remains on its website homepage today.

Young Consulting did not mention that ransomware was involved, although the BlackSuit group took credit for the attack, which was also widely reported as a ransomware incident.

It said that after learning of “technical difficulties” in its IT environment, it found evidence of an “unauthorized actor” gaining access to its network and copying certain files. 

Per a filing with Maine’s attorney general at the time, a little more than 950,000 people had their data compromised in some way.

Names, Social Security numbers, dates of birth, and insurance policy/claim information were among the data types affected, the company said.

However, BlackSuit claimed to have stolen much more, including additional data such as passports and internal company documents.

Cybercriminals often exaggerate and lie, so always take their claims with a generous pinch of salt.

The Register did not download the data from BlackSuit’s website to evaluate the veracity of its claims.

More than a year since the attack took place, Carla Reddick, Connexure’s head of HR, updated the company’s filing in Maine to reflect the growing number of affected individuals, which now stands at 1,071,336.

The updates to the victim count seem to be a regular occurrence. After first disclosing the total in August 2024, Young Consulting sent additional notification letters in January when it identified more affected individuals.

Wednesday’s update marks the second time the company has amended the tally of affected individuals since the initial announcement.

According to the most recent filing, the additional notification letters being sent today will offer the same 12 months of credit monitoring and identity theft restoration as those issued in August.

The time it has taken Young Consulting to accurately assess how many unique individuals were affected by the attack is not necessarily a reflection of its cybersecurity acumen.

Digital forensic analysis of affected data can, and often is, a time-consuming process involving various factors.

People will invariably have their data stored on different drives and systems, which in turn complicates the identification process since analysts have to determine where data is duplicated and adjust the victim count accordingly. 

That is just one example of many factors that can delay definitive determinations of uniquely affected individuals.

IBM’s most recent Cost of a Data Breach report (2024) states that the average time it takes to identify and contain an attack such as this varies, which includes determining the number of unique individuals affected, but can reach up to 292 days depending on the type of attack. ®