A Boise company says it is the victim of a phishing email that may have given hackers access to personal information about current and former employees and customers.
The Terteling Co. said Tuesday that it was victimized in early May. The attack affected mostly current and former employees of Terteling's Western States Equipment Co., Agri-Service and the 36th Street Garden Center and Bistro, along with Red Horse Mountain Ranch, a former affiliated company.
A small number of Western States customers may have been affected, the company said. Western States operates Western States CAT, a Northwest chain specializing in Caterpillar heavy equipment.
The company said it has notified 4,000 people that their information may have been compromised.
Sign Up and Save
Get six months of free digital access to The Idaho Statesman
It's unclear whether the breach led to actual access to personal information, but the company is responding as though it did, said Michael Romans, marketing director.
Names, birth dates, Social Security numbers, home addresses, driver's license numbers and numbers from business-issued credit cards may have been compromised. The breach may have also involved health plan coverage and information regarding diagnoses, medications, treatments and payments.
The phishing email came from a hacker who pretended to be a company employee. The person was able to access some internal email files.
"The hackers are getting smarter and better," Romans said. "We have to do that along with them."
Terteling IT managers learned of the phishing email on May 1 and removed it from the network. The company conducted an internal investigation and brought in outside cybersecurity consultants and forensic investigators. It also reported the incident to police.
The company required employees to set up new passwords and restricted outside access to the network.
“We deeply regret the incident and want to extend our apologies to and express our concern about those potentially affected by this incident,” said Tom Terteling, the president and CEO. “We are conducting a thorough review of our data privacy and security policies and procedures to reduce the risk of future incidents, and we plan to provide additional training to all of our employees.”
The company is offering free identity-theft and credit-monitoring service for a year, for anyone who may have been affected, through Experian, a credit monitoring company.
So far, it does not appear that anyone's personal information has been used for illegal purposes, Romans said. "There has been no evidence of any activity like that," he said.