Massachusetts Attorney General Andrea Joy Campbell has announced a settlement with Braintree-based property management company Peabody Properties, Inc., amounting to $795,000. This sum is to tentatively settle allegations that Peabody failed to adequately protect the personal information of thousands of Massachusetts residents. According to the Massachusetts Attorney General's Office, this resolution comes after Peabody experienced five cybersecurity breaches between November 2019 and September 2021, which exposed sensitive data including Social Security numbers and bank account information.
In total, nearly 14,000 notices had to be sent to alert affected consumers about the data compromise. In the direct aftermath of the breaches, hackers used phishing emails to gain unauthorized access to the company's network. The first two cybersecurity incidents notably did not get reported to the Attorney General’s Office, with Peabody purportedly failing to directly inform the impacted residents for about seven months post the first two breaches. This delay has been cited as a factor prompting the settlement.
The consent judgment in which Peabody will be compelled to pay the hefty fine, if approved by the court, aims to rectify violations of the Massachusetts Consumer Protection Act and the Data Security Law, in addition to the Massachusetts Data Security Regulations. Besides the financial penalty, Peabody is also being required to ramp up their cybersecurity measures significantly. Measures include the implementation of a vulnerability management program, phishing protection software, and multi-factor authentication. This is part of broader efforts by AG Campbell to reinforce corporate responsibility in safeguarding personal data of state residents.
The matter, headed by Assistant Attorney General Kaitlyn Karpenko and Chief Jared Rinehimer of the Privacy and Responsible Technology Division, showcases the state's resolve to hold companies accountable for such breaches. According to the AG’s office, "The settlement requires Peabody to also conduct an annual security assessment for three years." Furthermore, Peabody is now expected to maintain an intrusion detection/prevention system and to rigorously keep an asset inventory, helping to better protect all company laptops and desktops from future threats.
