Boston University is one of several clients that have been subjected to the effects of a data breach involving a likely cyber attack against Creative Services, Inc. The targeted company handles background checks and deals with sensitive personal information, such as an individual’s name, Social Security number, driver’s license number, and date of birth. In response to this breach, which has compromised files from November 2018 through November 2021, four lawsuits have been initiated. The plaintiffs intend to pursue a class action status for their claims. The primary complaint accuses Creative Service, Inc. of failing to provide reasonable security measures to protect client information.
The nature of the cyber attack involves a break into their database systems and a subsequent copy of files. Creative Service, Inc., a company based out of Massachusetts, is a third party service that businesses, colleges, and government agencies may hire to provide background checks for prospective employees or other individuals who may require a background check. Since the disclosure of the unfortunate breach, the company has notified all impacted individuals, including about 164,000 people, and has already established more advanced security channels to its systems. While the company has mailed letters to the individuals, clients such as Boston University have taken additional measures to notify people of the breach.
The university has issued a separate statement indicating that any and all individuals who were required to undergo a background check within the past three years might have been subjected to the unauthorized collection of their personal information. In addition to formally learning of the exposure of their personal information, the affected individuals are also entitled to receive Creative Service, Inc. services as temporary compensation, such as the restoration of identity theft damages, credit monitoring, and fraud advisement. Although Creative Service, Inc. has voluntarily offered these services to people whose information might have been compromised, the company has not responded to the four lawsuits or admitted its negligence or fault in the cases.