Press Release  AG Campbell Reaches $795,000 Settlement with Property Management Company for Failing to Protect the Personal Information of Thousands of Massachusetts Residents

BOSTON — Massachusetts Attorney General Andrea Joy Campbell today announced that her office has reached a $795,000 settlement, pending court approval, with Braintree-based property management company Peabody Properties, Inc. (“Peabody”) for failing to adequately protect the personal information of thousands of Massachusetts residents and for unlawfully delaying required data breach notifications to the Attorney General’s Office (AGO) and affected consumers. 

Peabody manages approximately 227 residential properties across the state of Massachusetts, including housing for veterans, senior living facilities, apartments, and condominiums. Between November 2019 and September 2021, Peabody experienced five separate cybersecurity breaches that exposed the sensitive personal information of thousands of Massachusetts residents, resulting in nearly 14,000 notices to be sent to consumers. Breached information included Social Security numbers, driver’s license numbers, and bank account information. Hackers gained access to Peabody’s network through “phishing” emails. The first two breaches were not reported to the AGO or impacted residents until nearly seven months after the first two breaches occurred. 

The settlement comes in the form a consent judgment, which requires Peabody to pay $795,000 to the Commonwealth for failure to maintain an adequate security program to prevent cyber attacks, and, for two incidents, the delay in notifying the AGO and residents when attacks occurred. In addition, Peabody will also be required to implement a range of cyber security measures for all company laptops and desktops, including: phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software. The company is also required to conduct an annual security assessment for three years. 

If approved by the Court, the settlement will resolve claims that Peabody violated the Massachusetts Consumer Protection Act (G.L. c. 93A) and the Data Security Law (G.L. c. 93H) by failing to timely notify both regulators and affected consumers of the breaches, and the Massachusetts Data Security Regulations (201 CMR 17.00) by failing to employ sufficient protections for personal information the company collected and stored on its servers. 

This matter is being handled by Assistant Attorney General Kaitlyn Karpenko and Chief Jared Rinehimer of the Privacy and Responsible Technology Division. The lawsuit reflects AG Campbell’s broader efforts to ensure corporate accountability in protecting Massachusetts residents’ personal information. More information about the Massachusetts Data Security Law can be found here.  

###