Monsanto, the massive international agricultural conglomerate, has disclosed a data breach that involved the personal information of customers and employees of its Precision Planting subsidiary. The breach included names, addresses, possibly Social Security numbers and some financial account information.
The company discovered the breach on March 27, but it wasn’t disclosed until earlier this month. Company officials say that the incident resulted form unauthorized access to a server that contained the sensitive information of more than 1,200 customers and employees of Precision Planting. The subsidiary provides agricultural services and farm equipment.
“On March 27 we discovered unauthorized access to our systems had occurred by an outside party. Files on the affected servers contained personal information, including customer names, addresses, tax identification numbers (which in some cases could be Social Security Numbers), and (in some cases) financial account information. Additionally, some HR data was stored on the servers, including some W2 tax forms that contained employee name, address, and Social Security numbers and (for a small number of employees) driver’s license numbers,” Reuben Shelton, general counsel at Precision Planting, wrote in a breach disclosure letter to the office of the Maryland Attorney General.
Interestingly, although the company doesn’t think that the incident was part of an attempt to steal the affected customers’ information, it is working with the FBI on it.
“We believe this unauthorized access was not an attempt to steal customer information; however, it is possible that files containing personal information may have been accessed and therefore we are making this notification,” the letter says.
“The incident has been contained and we have partnered with a leading forensics firm to understand and remediate this issue. In addition, we have asked the Federal Bureau of Investigation for assistance.”
The Monsanto data breach has some similarities to another incident reported this week at San Diego State University. Officials at SDSU said that some information on a specific database was accessible to unauthorized users for a period of time, but they didn’t have any evidence that it was ever accessed by any employees or students who shouldn’t have seen it, or by attackers.
Image from Flickr photos of Thanasis Anastasiou.