Share this article on:
The Vice Media Group, which publishes Vice and Motherboard among a range of other brands, has suffered what could be a damaging data breach.
The company recently filed two data breach notifications with the Office of the Maine Attorney General, disclosing that the bank account details and credit/debit card details — including passwords and PINs — of more than 1,700 people had been compromised.
What’s curious is that while both notices detail different dates for the events, the number of people affected is identical. It is unsure whether this is two separate incidents from the same breach, or one incident reported twice as more details came to light in the investigation.
The first notice, which was filed on 26 January 2023, gives no date as to when the breach occurred but does say that Vice Media discovered it on 4 April 2022. This notice states that only personal information and social security numbers were compromised.
The second notice, filed days later on 31 January, does give a date of when the breach occurred sometime in 2019, but gives a date of when the breach was discovered as 19 December 2022. The affected data in this second notice is more alarming, however.
“Information acquired: Name or other personal identifier in combination with: Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account),” the notice reads.
Both notices state that consumers were sent letters on 30 January, but there is yet another confusing difference. Both notices were submitted by one Lauren Godfrey, but in the first notice her title is attorney, and in the second, partner.
A form version of the letter, which was filed with the Maine AG, sheds a little more light on the incident, though it too adds another layer of confusion, as it states another date for when the breach was discovered.
“On or around March 29, 2022, Vice was alerted to unusual activity within its digital environment,” the letter reads, which contradicts the second breach notification, though it is close to the April date.
The letter does seem to refer to the same incident, however.
“The investigation revealed that there may have been unauthorised access to an internal Vice email account. Following a thorough review of the information contained in the email account, we determined that some of your personal information may have been contained within the account,” the letter continues. “We then worked to obtain up-to-date addresses to notify you of the incident. That process was completed on January 25, 2023.”
This at least goes some way to explain the long gap between the apparent discovery of the breach and its reporting.
The letter is not dated, though it does offer the same remediation as both breach notices: “12 months through Equifax, credit & identity monitoring services, identity restoration services, $1M in identity theft insurance.”
Being a form letter, all it says of what data was compromised is, “The information contained within the email account may have included your name and <<Impacted Data>>.”
However, to make matters more confusing, the letter also says, “We have no information that your personal information was actually disclosed.”
So just an email account containing the information, which is a very fine distinction indeed.
So an incident definitely occurred, that may have disclosed personal data, or not, which may have happened in 2019 or 2022, and was noticed in either March or April of the same year.
At this stage, no threat actors have been identified, and Vice has yet to make a public statement.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.