Tens of thousands of individuals have had their personal information stolen in a cyberattack on laundry giant CSC ServiceWorks. The New York-based company provides internet-connected laundry machines to residential buildings, hotels, and university campuses across North America and Europe. The breach, which occurred in September 2023, affected at least 35,340 individuals, including over a hundred people in Maine.
This is not the first security issue CSC has faced in recent times. Over the past year, multiple security researchers have identified critical vulnerabilities in the company’s laundry platform that could result in revenue loss. The latest breach, however, is the most severe.
The breach went undetected for five months until CSC discovered the intruder in February 2024. It is unclear why it took the company several months to detect the breach. It was not until June that CSC was able to identify the stolen data, which includes names, dates of birth, contact information, government identity documents, financial information, and health insurance information.
The type of data stolen suggests that the breach may affect current and former CSC employees, as this information is typically held by companies for business records and workplace benefits. However, CSC has not clarified whether the breach affects employees, customers, or both.
CSC has been tight-lipped about the incident, declining to answer specific questions about the nature of the cyberattack or whether they have received any communication from the threat actor. The company has also not disclosed if they have received a ransom demand.
This breach comes after CSC made headlines earlier this year for ignoring a simple bug that allowed individuals to run free laundry cycles. The company eventually patched the vulnerability and apologized to the security researchers who discovered it. As a result of these findings, CSC established a vulnerability disclosure program to allow researchers to privately report bugs or vulnerabilities.
Unfortunately, another vulnerability in CSC-powered laundry machines was recently made public. This vulnerability allows anyone to bypass the need for coins to operate the machines by short-circuiting two wires inside. The researcher who discovered this vulnerability, Michael Orlitzky, will be presenting his findings at the Def Con security conference in Las Vegas.
Overall, this breach highlights the importance of robust cybersecurity measures, especially for companies that handle personal and financial data. It serves as a reminder that even seemingly ordinary devices, like laundry machines, can be vulnerable to cyberattacks. CSC and other companies must remain vigilant and proactive in identifying and mitigating security risks to protect both their employees and customers.