CSC ServiceWorks Discloses Data Breach Impacting Thousands in 2023

CSC ServiceWorks, a prominent laundry service provider, has announced that a cyberattack in 2023 led to the theft of personal details belonging to a vast number of its users.

Operating from New York, CSC ServiceWorks is a key player in the laundry industry, serving both North American and European markets with over a million web-enabled laundry machines across various sectors, including residential, hospitality, and education. The company boasts a workforce exceeding 3,200 individuals as mentioned on its website.

According to a notification of a data breach submitted at the end of last week, it was revealed that the breach impacted at least 35,340 individuals, with more than a hundred from Maine being affected.

This breach is the most recent in a series of security challenges CSC has faced over the last year, following discoveries by various security experts of fundamental flaws in the company’s laundry applications that could potentially diminish its earnings.

CSC disclosed in its breach notification that an unauthorized party accessed its systems on September 23, 2023, and managed to stay undetected until February 4, 2024. The lengthy period before detection remains a mystery. The company identified the compromised information only by June.

The compromised information encompasses a range of personal data, including names, birth dates, contact details, identification documents like Social Security and driver’s license numbers, financial data including bank account details, and in some instances, limited health insurance and medical information.

This compromised data is largely representative of the type of information employers collect from their employees for business and employment benefits, suggesting that both past and current CSC employees could be the breach’s primary victims, as customers generally don’t provide such extensive details.

CSC, however, has not provided specific details regarding who was affected by the breach.

Responding to inquiries from TechCrunch, CSC’s representative, Stephen Gilbert, chose not to comment on specifics of the incident, including the nature of the cyberattack, or whether negotiations or demands had been made by the perpetrators.

Earlier in the year, CSC was in the spotlight for disregarding a simple flaw identified by two student researchers, which allowed unauthorized free laundry cycles. The company eventually addressed the flaw and communicated its regret to the researchers, who had struggled to bring the issue to CSC’s attention for weeks.

Following the incident, CSC initiated a vulnerability disclosure policy, encouraging security analysts to privately report any detected faults or security weaknesses directly to the company.

Recently, another security flaw within CSC’s laundry systems was uncovered, granting unlimited free laundry access. Michael Orlitzky published a post detailing a hardware vulnerability involving the bypassing of coin payment through the short-circuiting of two wires in a CSC machine. Orlitzky plans to share his findings at the upcoming Def Con security event in Las Vegas.