The U.S. Atlantic States Marine Fisheries Commission (ASMFC) has acknowledged a data breach and begun to notify customers who were affected by it.
The ASMFC data breach reportedly took place on April 6, 2024. The commission stated that “it was the victim of a cybersecurity incident” that affected the organization’s electronic systems. The data breach notification was shared by the ASMFC with the Office of the Maine Attorney General on June 28 through their legal counsel.
In its notification, the ASMFC shared that around 9,895 people, including 3,823 Maine residents could be affected by the data breach. Hackers allegedly stole a company database containing sensitive Personal Identifiable Information (PII), along with financial records of the commission. The cause of the data breach has been reported as “external system breach (hacking).”
Understanding ASMFC Data Breach
ASMFC plays a key role in overseeing fisheries along the Atlantic seaboard. Established 80 years ago, the fishery organization states on its site that its mission is “to promote the better utilization of the fisheries, marine, shell and anadromous, of the Atlantic seaboard by the development of a joint program for the promotion and protection of such fisheries, and by the prevention of physical waste of the fisheries from any cause.”
The 8Base ransomware group claimed the organization as a victim on its leak site and said it had stolen several pieces of critical data. On April 15th, the 8Base ransomware group asserted on its official leak site that it had obtained information such as personal data, invoices, receipts, accounting documents and certificates. The group gave the organization a deadline of four days to pay the ransom, warning that if the ransom was not paid by April 19th, they would release the data.
According to the commission, “On April 6, 2024, ASMFC learned it was the victim of a cybersecurity incident that affected our organization’s electronic systems. ASMFC promptly notified law enforcement. With assistance from third-party experts, we took immediate steps to secure our systems, restore operations, and investigate the nature and scope of the Incident. Based on our investigation, the Incident appears to have begun on or about March 14, 2024 and ended on April 6, 2024.”
ASMFC concluded that sensitive PII could have been part of the data leak:
“As part of our extensive forensic investigation, we have worked diligently to determine whether any personally identifiable information may have been impacted. We concluded that some or all the following information may have been subject to unauthorized access and acquisition during the Incident: name, mailing address, email address, phone number, Social Security number, bank account and routing number, copies of ID cards (driver’s license, Social Security cards, birth certificate and/or passport),” the organization send in its notification.
The breach was discovered during routine security monitoring, but the specific methods used by the hackers remain unclear. In response, ASMFC has taken steps to secure personal information and offered identity theft protection services to those affected.
“As an added precaution, we are also offering you a chance to enroll in complimentary identity theft protection services through IDX, A ZeroFox Company. IDX identity protection services include 24 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services,” the commission shared with all its stakeholders.
“Please note that at this time, we have no evidence that your information has been misused. However, we encourage you to take full advantage of this offered service,” ASMFC mentioned in its letter.