Clarkson PLC has revealed that a single user account was at the crux of a data breach resulting in the theft of confidential information.
The cybersecurity incident took place in 2017, in which threat actors gained access to internal systems from May 31, 2017, until November 4, 2017.
In an updated security advisory (.PDF) posted this week, Clarksons, a global shipping provider, said an unauthorized third party was able to access computer systems based in the United Kingdom in order to copy confidential data.
According to the company, access to these systems was gained through a single user account.
The hackers then demanded payment in return for the stolen information on the threat of public release, of which was refused.
After reporting the incident and hiring outside forensic help, the firm discovered the problematic account, which was then disabled.
"Through the investigation and legal measures, Clarksons were then able to successfully trace and recover the copy of the data that was illegally copied from its systems," the company added.
While Clarksons believes that the data has been traced and successfully secured, the shipping giant has also notified those who may be affected by the incident.
While the potentially affected personal information "varies by individual," the trove of data potentially compromised is huge.
The stolen data may include dates of birth, contact information, criminal convictions, ethnicity, medical data, religion, login credentials, signatures, tax information, insurance details, national insurance numbers, passport information, and social security numbers.
In addition, visa/travel documentation, CVs, driver's license/vehicle identification information, seafarer information, bank account data, payment cards and other financial data, addresses, and information concerning minors may have been compromised.
This information -- especially in bulk -- is incredibly sensitive and, should it have been released publicly, could have had a devastating effect on individuals, their credit, and identities.
With the arrival of GDPR, companies may be less keen to hold so much data on users, staff, and customers, especially in the knowledge of the consequences of a successful data breach and mandatory regulator notice of such incidents.
The more information that is held, especially if it is not required by the business, the more risk a data breach poses not only to reputation and trust, but also in terms of potential penalties, fines, and costs associated with damage control.
Law enforcement and regulators have been notified of the cybersecurity incident.
"Clarksons take the security of personal information very seriously," the company said in a statement. "Clarksons has enhanced security measures in place to protect data in its care and [..] Clarksons has notified the necessary regulatory and law enforcement bodies across the relevant jurisdictions."
ZDNet has reached out to Clarksons with additional queries and will update if we hear back.