Laundry service giant CSC ServiceWorks recently disclosed that tens of thousands of personal details were stolen from its systems following a cyberattack it disclosed in 2023.
The New York-based laundry giant provides more than a million Internet-connected washing machines to residential buildings, hotels, and college campuses across North America and Europe. CSC also employs more than 3,200 team members, according to its website.
In a data breach report filed late Friday, CSC confirmed that at least 35,340 people were affected by the breach, including more than 100 in Maine.
The data breach is the latest security issue to plague CSC in the past year, with multiple security researchers revealing a simple but critical vulnerability in the company’s laundry platform that could have cost the company revenue.
In its data breach notice, CSC said the intruders entered its systems on September 23, 2023, and had access to its network for five months until the company discovered the intruders on February 4, 2024. It is unclear why it took the company months to detect the breach; CSC said it took until June to determine what data had been stolen.
Stolen data includes names; dates of birth; contact information; government-issued identification, such as Social Security numbers and driver’s license numbers; financial information, such as bank account numbers; and health insurance information, including some limited medical information.
Given that the types of data involved are typically business records or workplace benefits information that companies maintain about their employees, this data breach likely affected current and former CSC employees, as customers typically do not request this information.
CSC did not clarify which side it was on.
CSC spokesman Stephen Gilbert declined to answer specific questions from TechCrunch about the incident, including whether it affected employees, customers or both. The company did not elaborate on the nature of the cyberattack or whether the company received any communications from threat actors, such as ransom demands.
CSC made headlines earlier this year after ignoring a simple bug discovered by two student security researchers that allowed anyone to run a free wash cycle. The company was late in patching the vulnerability and apologizing to the researchers, who had been trying to alert the company to the flaw for weeks.
Based on these findings, the company established a vulnerability disclosure program so that future security researchers can contact the company directly to confidentially report bugs or vulnerabilities.
Last month, details were released about a new vulnerability discovered in CSC-powered washing machines that could allow anyone to do their laundry for free. In a blog post, Michael Orlitzky said the hardware-level vulnerability shorts two wires inside the CSC-powered washing machines, bypassing the need to insert coins to operate the machines. Orlitzky will present his findings at the Def Con security conference in Las Vegas on Saturday.