Illegal access to data records has warranted a breach in information security affecting customers and distributors of Utah-based marketing company doTERRA International, LLC, according to documents recently posted by the Office of the Attorney General in at least two separate states.
A sample notice filed last week by doTERRA with the California Attorney General attribute the breach to unauthorized access of a system maintained by an undisclosed vendor the company uses for data and software services. California law requires businesses to notify state residents about unauthorized access or suspected access to their unencrypted information. Breach notices issued to more than 500 CA residents must file a sample copy as doTERRA has with the CA Attorney General.
We are writing to notify you today that a third-party vendor that provides doTERRA with data hosting and software services recently informed us that an intruder had accessed some of the vendor’s systems."
- doTERRA. AllClear ID. "Notice of Data Breach", 18 April 2016
A security breach is required to be reported to affected parties by the Attorney General of some states like California and New Hampshire. Check with your state's Department of Justice and Attorney General's office by visiting their .gov websites for information on "security breach", "identity theft", and "consumer protection".
A sample copy of doTERRA's "Notice of Data Breach" for California residents can be downloaded from the CA OAG's page at: https://oag.ca.gov/ecrime/
databreach/reports/sb24-61140 . The page also includes links to data breach stats, information on identity theft and tips on cyber safety for consumers.
To locate your state and/or regional consumer protection offices, visit https://www.usa.gov/state-consumer
Likewise, a similar sample notification regarding the security violation was filed on behalf of doTERRA with the New Hampshire Attorney General last week. The NH submission includes a cover letter estimating 2,330 New Hampshire residents to be affected by the breach. Source of the breach is again attributed to unauthorized access of an unnamed vendor's system, though this letter notes that the breach appears to have resulted in the actual acquisition of customer and distributor information.
Both sample notices include the same list of information subject to compromise, including names, addresses, account passwords, social security numbers, credit/debit card numbers, related security codes, and payment information.
The notice encourages recipients to change their account passwords and offers instructions to monitor credit activity, including a toll-free call to 1-877-322-8228 and link to annualcreditreport.com, the only source for a free annual credit report under federal law. The letter also offers 24 months of identity protection and credit monitoring services to its recipients, compliments of doTERRA.
News outlets report those unaffected by the information leak were not sent a Notice of Data Breach.
Regardless, social media posts show individuals without letters verifying security of personal information by calling AllClear ID, an identity monitoring business and data breach specialist credited as co-issuer in the letterhead of doTERRA's notice.
doTERRA's letter directs questions regarding the issue to call 1-855-904-5752.
Customers past and present are advising each other to verify that abandoned doTERRA accounts are in fact closed, noting information may need to be filed with the company to officially close out an account.
doTERRA International, LLC lists contact information on the company's website at:
389 South 1300 West, Pleasant Grove, UT 84062.
Member Services: 1-800-411-8151
No information regarding the use and misuse of data from the doTERRA security breach appear to have surfaced yet.
The CA OAG recently addressed data breach help in this 2016 press release, listing tips for identity theft protection: https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-commemorates-data-privacy-day-issuing-identity.
Is ID Monitoring Right for You?
Reviewing your credit report helps identify unauthorized activity, which can help protect both your credit rating AND your identity information. Your free annual credit report includes one report from each of the three credit reporting companies, which you can view all at once or space throughout the year.
While many agree on the benefits of regularly reviewing your credit report, Consumer satisfaction for additional services like identity protection varies industry-wide depending on personal preference and circumstances.
Some are pleased with the enhanced security of their information, notably those who have experienced the panic, cost, and aftermath of identity theft in the past.
Others however become frustrated with the additional steps required to verify identity and open new accounts. Some services place wait times on opening new accounts. Some protection services can make access to your credit information quite a challenge for EVERYBODY, leaving you unexpectedly waiting for credit approval on your next big purchase you had planned on having today.
Review service details, and service providers, before registering with an identity monitor and ID theft protection provider to assure these services are right for you. Remember to consider other services and programs, like credit cards and auto club memberships, that may already offer you such services for your comparison.
For more information on steps consumers can take regarding credit monitoring and identity theft, to file an identity theft report and to get a recovery plan, visit the FTC's website at https://www.identitytheft.gov/ .
- Lee Tea is an independent journalist with a public service focus on essential oil consumer advocacy.
**Trademarked name(s), term(s), brand(s), logo(s), slogan(s), and image(s) are property of their respective owners.**