Massachusetts Attorney General Andrea Joy Campbell today announced that her office has reached a $795,000 settlement, pending court approval, with Braintree-based property management company Peabody Properties, Inc. (“Peabody”) for failing to adequately protect the personal information of thousands of Massachusetts residents and for unlawfully delaying required data breach notifications to the Attorney General’s Office (AGO) and affected consumers. 

Peabody manages approximately 227 residential properties across the state of Massachusetts, including housing for veterans, senior living facilities, apartments, and condominiums. Between November 2019 and September 2021, Peabody experienced five separate cybersecurity breaches that exposed the sensitive personal information of thousands of Massachusetts residents, resulting in nearly 14,000 notices to be sent to consumers. Breached information included Social Security numbers, driver’s license numbers, and bank account information. Hackers gained access to Peabody’s network through “phishing” emails. The first two breaches were not reported to the AGO and Peabody failed to inform impacted residents until nearly seven months after the first two breaches occurred. 

The settlement comes in the form a consent judgment, which requires Peabody to pay $795,000 to the Commonwealth for failure to maintain an adequate security program to prevent cyber attacks, and, for two incidents, the delay in notifying the AGO and residents when attacks occurred. In addition, Peabody will also be required to implement a range of cyber security measures for all company laptops and desktops, including: phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software. The company is also required to conduct an annual security assessment for three years.