Laundry giant CSC Serviceworks recently disclosed a cyberattack dating back to 2023, saying the personal information of tens of thousands of people was stolen from its systems.
The New York-based laundry giant has delivered more than 1 million internet-connected laundry machines to homes, hotels and college campuses across North America and Europe. CSC employs more than 3,200 team members, according to its website.
In a data breach notice filed late Friday, CSC confirmed that the breach affected at least 35,340 individuals, including more than 100 in Maine.
News of the data breach is the latest security issue to plague CSC over the past year, with multiple security researchers saying they had discovered a simple but critical vulnerability in its laundry platform that could cost the company revenue.
CSC said in its data breach notice that the intruder broke into its systems on Sept. 23, 2023, and had access to the network for five months, until Feb. 4, 2024, when the company discovered the intruder. It's unclear why it took the company several months to detect the breach; CSC said it took until June to identify the stolen data.
The stolen data includes names, dates of birth, contact information, government issued identification such as Social Security and driver's license numbers, financial information such as bank account numbers, and health insurance information, including some limited medical information.
Because the type of data involved typically relates to information that companies hold about their employees, such as business records and workplace benefits, and because customers are not typically asked to provide such information, it is entirely possible that a data breach could affect current and former employees of CSC.
Meanwhile, CSC did not disclose any details on either point.
CSC spokesman Steven Gilbert did not respond to TechCrunch's specific questions about the incident, including whether the breach affected employees, customers or both. The company did not discuss the nature of the cyberattack or whether it had received any contact from threat actors, such as ransom demands.
CSC made headlines earlier this year when it ignored a simple bug discovered by two student security researchers that would have allowed anyone to run a laundry cycle for free. The company belatedly fixed the vulnerability and apologized to the researchers, who spent weeks trying to notify the company of the flaw.
Following this discovery, the company launched a vulnerability disclosure program to enable prospective security researchers to contact the company directly to privately report bugs or vulnerabilities.
Last month, details were published about a new vulnerability in CSC-equipped washing machines that could let anyone do their laundry for free. Michael Orlitzky wrote in a blog post that the hardware-level vulnerability, which shorts out two wires inside a CSC-equipped washing machine, would allow someone to operate the machine without inserting a coin. Orlitzky is scheduled to present his discovery on Saturday at Def Con, a security conference in Las Vegas.