Press Release  Rhode Island Company To Pay $230,000 in Penalties Over Data Breach Impacting More Than 3,000 Massachusetts Residents

BOSTON — A Rhode Island-based job placement service company will pay $230,000 in penalties under a settlement reached with Attorney General Maura Healey’s Office over the company’s failure to implement the proper security programs necessary to protect personal information, following a data breach in 2020 that impacted more than 3,000 Massachusetts residents.

TradeSource is a job placement service that connects tradespeople with contractors in the construction industry and maintains a branch office in Natick. According to the assurance of discontinuance, filed today in Suffolk Superior Court, the company was hacked in December 2020 after an employee fell victim to a phishing email, resulting in a compromise of credentials that allowed hackers to enter the system and steal the personal data of users, including names and social security numbers. In response to the data breach, Trade Source provided affected residents with two years of free credit monitoring and identity theft protection.

“Companies need to have the proper security measures and systems in place to keep the sensitive information of individuals safe from hackers,” said AG Healey. “My office is pleased to have secured this settlement and will continue to ensure companies are abiding by our data security laws and protecting the personal information of Massachusetts residents.”

The AG’s Office alleges that TradeSource violated Massachusetts data privacy laws by failing to have a written information security program (WISP) in place during or prior to the data breach. A WISP documents an organization’s protocols or guidelines to protect the security and confidentiality of personal information. Under Massachusetts laws, companies must maintain a WISP in order to protect such data.

Under the terms of the settlement, TradeSource will pay $230,000 in penalties. Additionally, the company must come into compliance with state laws, as well as continue to implement and maintain a WISP, and continue to train its employees on the importance of personal information security.

If you believe that you have been the victim of a data breach, you may need to take steps to protect your credit and your personal information. For additional information, consumers may visit the AG’s website. Guidance for businesses on data breaches can be found here. Last year, AG Healey reminded businesses and organizations of actions to take to be vigilant and protect themselves against ransomware and other cyber threats.

This case was handled by Acting Division Chief Jared Rinehimer, of the AG’s Data Privacy and Security Division, and Assistant Attorney General Chanal Neves-McCain, of the AG’s Civil Rights Division.

###