Bomco Discloses Data Breach Exposing Social Security Numbers and Health Information

Executive Summary

Bomco Inc., a precision metal components manufacturer for the aerospace industry, has begun notifying individuals about a data breach that occurred in June 2025. An unauthorized actor gained access to the company's network and may have exfiltrated files containing highly sensitive personally identifiable information (PII) and protected health information (PHI). The compromised data includes names, Social Security numbers, driver's licenses, financial account numbers, and health records. The company first detected suspicious activity on June 17, 2025, but the complex investigation took until April 20, 2026, to complete. Notification letters were sent to affected individuals starting on May 18, 2026, nearly eleven months after the initial intrusion.

Threat Overview

The incident timeline reveals a significant delay between the breach, its discovery, and public notification:

• Breach Window: June 14, 2025 - June 16, 2025. An unauthorized actor had access to Bomco's network and files.
• Initial Detection: June 17, 2025. Bomco became aware of suspicious activity.
• Investigation Conclusion: April 20, 2026. A ten-month forensic review by third-party specialists concluded, confirming the scope of exposed data.
• Public Notification: Starting May 18, 2026. Bomco began sending letters to affected individuals.

The breach exposed a toxic combination of sensitive data, putting victims at high risk for identity theft and financial fraud. The affected data includes:

• Names
• Social Security Numbers
• Driver's License / Government ID Numbers
• Financial Account / Credit/Debit Card Numbers
• Health Records

Technical Analysis

The provided information does not specify the initial access vector. However, such breaches typically occur through common methods like phishing attacks that lead to credential compromise, exploitation of unpatched vulnerabilities in external-facing systems, or brute-force attacks against remote access services. Once inside the network, the attacker was able to access and exfiltrate files over a three-day period. The long duration of the forensic investigation suggests that the compromised data was likely unstructured and spread across multiple systems, making it difficult to determine the exact scope of the breach.

MITRE ATT&CK Techniques

• T1567 - Exfiltration Over Web Service: The attacker likely copied files to an external location.
• T1552.001 - Credentials In Files: The breach exposed financial account numbers, which are often found in files.
• T1003 - OS Credential Dumping: A likely step for the attacker to escalate privileges and move laterally to access file servers.

Impact Assessment

The primary impact is on the 811+ individuals whose data was stolen. The combination of SSNs, financial data, and health information is a worst-case scenario for data breach victims, enabling sophisticated forms of identity theft and fraud. For Bomco, the incident carries significant financial and reputational costs, including expenses for forensic services, credit monitoring for victims (24 months offered via IDX), and potential legal action. The lengthy delay between detection and notification may also draw scrutiny from state attorneys general and regulators.

IOCs — Directly from Articles

No specific technical indicators of compromise (IPs, hashes, domains) were provided in the source articles.

Detection & Response

• Data Loss Prevention (DLP): DLP solutions could have detected and blocked the exfiltration of files containing sensitive data patterns like SSNs and credit card numbers.
• File Integrity Monitoring (FIM): FIM tools could have alerted on unauthorized access to the sensitive files that were compromised.
• EDR/NDR: Endpoint and Network Detection and Response tools are crucial for detecting initial access, lateral movement, and data exfiltration activities in real-time.

Mitigation

• Data Discovery and Classification: Organizations must know where their sensitive data resides. Regular data discovery and classification scans are essential to properly protect PII and PHI.
• Access Control: Enforce the principle of least privilege to ensure that users and service accounts can only access the data absolutely necessary for their function.
• Encryption: Sensitive data should be encrypted both at rest and in transit. This can render stolen data useless to an attacker without the decryption keys.
• Timely Incident Reporting: While investigations can be complex, organizations must strive to meet regulatory requirements for timely breach notification. The 10-month investigation period in this case is exceptionally long.