Laundry giant CSC ServiceWorks says tens of thousands of people had their personal information stolen from its systems after recently disclosing a cyberattack from 2023.
The New York-based laundry giant provides over a million internet-connected laundry machines to residential buildings, hotels, and university campuses around North America and Europe. CSC also employs more than 3,200 team members, according to its website.
In a data breach notification filed late on Friday, CSC confirmed that the data breach affected at least 35,340 individuals, including over a hundred people in Maine.
News of the data breach is the latest security issue to beset CSC over the past year, after multiple security researchers say they found simple but critical vulnerabilities in its laundry platform capable of losing the company revenue.
In its data breach notice, CSC said an intruder broke into its systems on September 23, 2023 and had access to its network for five months until February 4, 2024, when the company discovered the intruder. It’s not known why it took the company several months to detect the breach. CSC said it took until June to identify what data was stolen.
The stolen data includes names; dates of birth; contact information; government identity documents, such as Social Security and driver’s license numbers; financial information, such as bank account numbers; and health insurance information, including some limited medical information.
Given that the types of data involved typically relate to the information that companies hold on their employees, such as for business records and workplace benefits, it’s plausible that the data breach affects current and former CSC employees, as customers are not typically asked for this information.
For its part, CSC would not clarify either way.
CSC spokesperson Stephen Gilbert declined to answer TechCrunch’s specific questions about the incident, including whether the breach affects employees, customers, or both. The company would not describe the nature of the cyberattack, or whether the company has received any communication from the threat actor, such as a ransom demand.
CSC made headlines earlier this year after ignoring a simple bug discovered by two student security researchers that allowed anyone to run free laundry cycles. The company belatedly patched the vulnerability and apologized to the researchers, who spent weeks trying to alert the company to the flaw.
The findings prompted the company to set up a vulnerability disclosure program, allowing future security researchers to contact the company directly to privately report bugs or vulnerabilities.
Last month, details of a new vulnerability found in CSC-powered laundry machines allowing anyone to also get free laundry were made public. Michael Orlitzky said in a blog post that the hardware-level vulnerability, which involves short circuiting two wires inside a CSC-powered laundry machine, bypasses the need to enter coins to operate the machine. Orlitzky is due to present his findings at the Def Con security conference in Las Vegas on Saturday.
