Chemonics International, an international development company and major contractor for the United States Agency for International Development (USAID), disclosed a months-long breach of its systems that began in May 2023.
The breach exposed personal information of victims including names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license and state ID information, passport information, U.S. military ID information, tribal ID information, financial information, health and related information, usernames and passwords, biometric information, gender and sexual orientation information, and signatures, Chemonics disclosed in a notice published to its website Tuesday.
The company said in a notification to the Officer of the Maine Attorney General on Tuesday that the breach affected more than 263,000 individuals and was first discovered on Dec. 15, 2023. However, according to the notification letter sent to affected individuals, unauthorized access to Chemonics’ systems continued until Jan. 9, 2024.
“With the assistance of third-party eDiscovery experts retained through outside counsel, Chemonics conducted a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and determine to whom the personal information relates,” the letter stated. “This process took time to complete, and on October 31, 2024, the eDiscovery process confirmed which individuals’ personal information was subject to unauthorized access.”
SC Media reached out to Chemonics to ask how attackers had access to its systems for more than six months without detection, and why unauthorized access continued for another 25 days, and a spokesperson declined to answer any specific questions. The company said in its public notice that its internal security team took actions to remediate the threat, including by resetting passwords and disabling affected accounts, upon discovery of the suspicious activity.
“We conducted a diligent investigation to confirm the nature and scope of the Incident, and we have taken steps to bolster overall security including strengthening multi-factor authentication processes, enhancing email security, deploying additional endpoint monitoring and detection tools, and blocking suspicious Internet traffic,” the company stated.
Chemonics has not said whether the incident was related to ransomware or any known cybercrime group. The company stated that suspicious activity related to “certain user accounts” was detected and classified the incident as an “External system breach (hacking)” in its notification to the Maine Attorney General.
Chemonics said it is unaware of any misuse of accessed data but advised individuals to monitor or temporarily freeze their credit, and to be on guard for potential scams related to the incident. Chemonics is also offering impacted individuals 24 months of complimentary access to Equifax Credit Watch Gold, according to the sample notification letter submitted to the Maine Attorney General.
Chemonics employs more than 6,000 specialists in more than 100 countries, according to its website, and is a leading partner of the USAID. The company works on a range of development projects, including in agriculture and food security, democracy and governance, economic growth and trade, education, environment and natural resources, healthcare, sustainable energy, and water security and sanitation.
In 2015, Chemonics received $9.5 billion from the USAID to manage the Global Health Supply Chain project, marking the largest-ever USAID contract to date, according to Devex.
Chemonics previously suffered a data breach in 2021, which was disclosed in 2022 and for which few details have been revealed since. In this past attack, which affected more than 6,000 individuals, Chemonics specified that email attacks were infiltrated to conduct malicious activity.
