Recently, Afni, Inc. filed official notice of a data breach that impacted the sensitive information of certain individuals. According to the Afni, the breach resulted in the names, addresses, Social Security numbers, and dates of birth being compromised. On June 14, 2022, Afni, Inc. filed an official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Afni data breach, please see our recent piece on the topic here.
What We Know About the Afni Data Breach
Information about the Afni, Inc breach comes primarily from the data breach letter the company released to affected parties. Evidently, on June 7, 2021, Afni detected what it referred to as “anomalous activity” on its computer systems. In response, Afni contacted third-party cybersecurity professionals and began an investigation into the incident.
This investigation revealed that on or before June 7, 2021, an unauthorized party was able to gain access to the company’s computer system and may have viewed or removed certain data.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Afni then commenced a review of all affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, Social Security number, and date of birth.
On June 14, 2022, Afni sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Afni, Inc.
Founded in 1936 in Bloomington, Illinois. Afni, Inc. is a business services company focused on helping clients’ businesses run smoothly and profitably. Afni was originally founded as a collection agency but has since grown to offer a wide range of services, including digital engagement, insurance subrogation, call center staffing, back office processing and more. Afni has offices located across the United States, including in Alabama, Arizona, Illinois, and Kentucky, as well as three offices in the Philippines. Afni employs more than 9,000 people and generates approximately $1 billion in annual revenue.
Why Does It Take So Long for Companies to Announce a Data Breach?
The Afni, Inc. data breach was first discovered in June 2021; however, the company did not notify victims of the breach until a full year later. This begs the question, what took so long? If Afni knew that consumer data was compromised, wouldn’t the company increase the risks of identity theft and other fraud by waiting to provide notice of the incident?
Undoubtedly, the answer to this question is “yes.” Often, hackers and other cybercriminals will attempt to use the information they obtain through a cyberattack as soon as possible. And by waiting to provide notice, a company gives hackers ample time to use the data for criminal purposes.
There may be a few reasons why companies do not announce a data breach immediately; some of which make sense, others of which are puzzling.
Of course, there are those situations where a company doesn’t realize that it’s been hacked until weeks or months after the intrusion. In these cases, there is little a business can do if it doesn’t know about the attack. However, businesses with robust data security systems should be able to identify a breach quickly. So, while companies may not be able to report a breach they don’t know about, companies should always be on the lookout for potential breaches.
Another reason why a data breach may be delayed is due to a law enforcement investigation. In some cases, state or federal law enforcement agencies may ask a business to hold off on reporting a breach for fear of clueing off hackers that the breach has been detected. The idea is that this gives law enforcement time to investigate the breach and, hopefully, catch those who orchestrated the attack.
Yet another reason why a breach may not be reported immediately relates to the company’s review of the affected data. Once a company learns of a data breach, it usually needs to review all affected files to determine what type of information was leaked and which consumers were affected by the breach. This can take time. However, there is nothing stopping a company from issuing a preliminary notice to all customers, for example, by posting a notice on the company website and releasing a more thorough notice at the conclusion of the investigation.
The bottom line is that just because a company sits on knowledge of a data breach without providing notice doesn’t mean that it’s being negligent of the risks it poses to consumers. However, that is a possibility. Following any data security incident, data breach lawyers regularly investigate the incident to assess the company’s response, which may ultimately bear on whether the company can be held financially liable for the breach.