Computer hackers made off with highly sensitive personal records on more than 164,000 job-seekers and license applicants in a virtual “smash and grab” attack last November on Creative Services Inc., a Massachusetts company that conducts background checks on everyone from marijuana entrepreneurs to state employees, university faculty members, and workers at nuclear facilities.
The Mansfield firm said its security team was still investigating the motive and identity of the hackers behind the incident, which executives only disclosed in regulatory filings and letters to clients in February.
An attorney for Creative Services said the company was offering two years of free credit monitoring and other support to those affected, since the stolen records included names, Social Security numbers, driver’s licenses, and other identifying information that could enable fraud.
“We worked diligently to find out what information was affected and made sure to contact the individuals involved,” the attorney, Paul Ferrillo, said in an interview. He added the firm has since taken steps to secure its computer network against further “smash and grab” attacks; Creative Services was also targeted by hackers in August, according to state filings.
The company has long conducted background checks for employers, institutions, and governments across the country, and the hack did not appear to target any particular sector. Locally, Boston University said some students and faculty may have been affected, while state contracting records indicate Creative Services has been retained by various agencies in recent years, including the Department of Public Health.
However, a major slice of Creative Services’s business in recent years has come from legal marijuana. Most states with regulated cannabis markets require investors, executives, and workers in the industry to pass thorough background checks that include reviews of their criminal records, civil legal history, and even social media postings.
In Massachusetts, the Cannabis Control Commission mandates that practically everyone associated with a licensed pot business pay Creative Services for such a background check. In February, the independent state agency notified 1,982 licensees and workers who received a background check between November 2018 and last fall that their information may have been compromised in the breach. A further 75 commission staffers were also affected, a spokeswoman said.
“We’re doing everything we can to work with companies . . . and prevent it from happening again,” Steve Hoffman, the commission’s chair, told reporters after a meeting last week.
The commission has paid Creative Services just under $70,000 so far this fiscal year, a spokeswoman said, though the company has likely raked in far more in fees paid by Massachusetts marijuana license applicants and employers hiring new workers — each background check costs several hundred dollars, according to applicants.
Marijuana entrepreneurs were frustrated by the hack, noting the state doesn’t offer them any choice in background check providers and that it took several months for Creative Services to notify them of the breach via snail mail. They also said that, beyond standard identity theft, they were concerned about potential leaks of private letters included in their files explaining the circumstances of past arrests or criminal charges that are otherwise sealed from public view.
And then there were the awkward calls to warn investors in their companies about the breach.
“The conversation is, ‘hey, thanks for believing in my company — by the way, you might want to look at your credit history,’ ” said Noni Goldman, a cannabis consultant and executive for several licensed marijuana operators in Massachusetts. “It’s annoying and a little ridiculous. It’s only because we followed the rules and sent all this information that we were targets. Everyone assumed this was totally private communication with [Creative Services].”
In the context of recent megahacks that have seen attackers download millions of records at once, 164,000 may seem like relatively small potatoes. Still, Bob Rudis, the chief data scientist at digital security firm Rapid7, urged people affected by the breach to take it seriously and use the offered free services to secure their identities and bank accounts.
“There’s a lot of what we call ‘breach fatigue’ — I probably get four to 10 notices a year myself,” he said. “But 164,000 represents a lot of human beings, and getting their names, dates of birth, Social Security numbers, and driver’s licenses is more than enough to do a ton of financial damage.”
Rudis said it was most likely that the attackers were seeking those “basic” pieces of information as a means to steal money, though he acknowledged there is a small risk that someone could obtain the data dump from a hacker forum and comb through it to find the more detailed narratives submitted by some cannabis applicants in an effort to extort them.
Creative Services was founded in 1976 by Alan Sklar, who began his career as a private investigator. The company previously made headlines in 1991, when two of its employees were charged with burglarizing the office of a Rochester, N.Y., attorney in an alleged attempt to photograph confidential documents on behalf of a client; Sklar at the time disavowed their conduct and said he had suspended the investigators.