Laundry giant CSC ServiceWorks says tens of thousands of people have had their personal data stolen from its systems after recently disclosing a 2023 cyberattack.
The New York-based laundry giant provides more than a million internet-connected washers to residential buildings, hotels and college campuses across North America and Europe. CSC also employs more than 3,200 team members, according to its website.
In a data breach notification filed Friday evening, CSC confirmed that the breach affected at least 35,340 people, including more than 100 people in Maine.
The data breach news is the latest security issue to hit CSC in the past year, after several security researchers said they had found simple but critical vulnerabilities in its laundry platform that could cost the company profits.
In its data breach notification, CSC said an intruder entered its systems on September 23, 2023, and had access to its network for five months until February 4, 2024, when the company discovered the intruder. It is not known why it took the company several months to detect the breach. CSC said it took until June to identify what data had been stolen.
The stolen data includes names, dates of birth, contact information, government identification documents, such as Social Security numbers and driver’s licenses, financial information, such as bank account numbers, and health insurance information, including some limited medical information.
Given that the types of data involved typically relate to information companies hold about their employees, such as company records and benefits, it is likely that the data breach affected current and former CSC employees, as customers are typically not asked for this information.
For its part, the CSC did not want to clarify either aspect.
CSC spokesperson Stephen Gilbert declined to answer TechCrunch’s specific questions about the incident, including whether the breach affected employees, customers, or both. The company declined to describe the nature of the cyberattack or whether it had received any communications from the threat actor, such as a ransom note.
CSC made headlines earlier this year after it ignored a simple bug discovered by two student security researchers that allowed anyone to run free laundry cycles. The company belatedly patched the vulnerability and apologized to the researchers, who spent weeks trying to alert the company to the flaw.
The findings prompted the company to establish a vulnerability disclosure program, allowing future security researchers to contact the company directly to privately report bugs or vulnerabilities.
Last month, details were made public of a new vulnerability found in CSC-powered washing machines that allows anyone to get free laundry, too. Michael Orlitzky said in a blog post that the hardware-level vulnerability, which involves shorting two wires inside a CSC-powered washing machine, bypasses the need to insert coins to operate the machine. Orlitzky is scheduled to present his findings at the Def Con security conference in Las Vegas on Saturday.