Hey Everyone,

We’re back from a week off with two new addendum filings. Both filings shared similar stories but presented them differently. Both companies suffered incidents where they detected unauthorized access across their networks, initiated their incident response plans and eventually contained the threat at hand. One mentioned the loss of customer data, and the other alluded to mailing breach notification letters without additional details. What’s interesting (but unsurprising) to me: the majority of company filings related to exfiltrated data use vague descriptors when referencing the stolen data or impacted systems:

• ‘a small percentage of mailboxes’

• ‘exfiltrated limited data from this environment’

• ‘exfiltrated data and encrypted data on certain non-production systems’

• ‘some of the companies source code’

• ‘limited data that includes some client information and PII’

The indirect reference of stolen records through breach notification letters was a first for these filings. This is a dramatic shift from one of the first Material Incidents filed with the SEC, that referenced 35M records being stolen. I imagine more companies will be be following suit and keeping things vague going forward but we’ll see!

This Weeks Filings

MarineMax INC 8-K/A, April 1, 2024
Originally filing back in March, MarineMax submitted an addendum to their filing this past Monday. The updated filing adds some new details to the incident, including the exfiltration of customer and employee data associated with their retail division. There was no information on the amount of records impacted but, the company did disclose the incident has since been remediated. MarineMax intends to send breach notifications to potentially impacted parties which may shed some light on the number of records.

SouthState Corp 8-K/A, March 29, 2024
The SouthState Bank submitted an update to the original filing back in February. The original filing and addendum were fairly sparse on details about the incident. The bank engaged an outside security firm to assist with the remediation and investigation. According to the filing, this investigation has been concluded and the incident contained. The filing mentioned SouthState will mail notification letters to individuals whose personal information may have been involved.

Thanks for reading!
Matt