Rich Products Corp., the Buffalo-based family-owned food manufacturer, has disclosed a data breach originating at its third-party service provider, First Advantage Corp. The incident, reported to the New Hampshire Attorney General on April 22, 2026, began with a phishing attack against a single First Advantage employee on November 13, 2025, exposing Social Security numbers, driver's license numbers, and dates of birth.
What Happened
On or about November 13, 2025, an unauthorized third party gained access to the email account of an employee in First Advantage's Drug & Occupational Health Screening Unit, the division responsible for drug testing and occupational health screening. First Advantage detected the intrusion four days later, on November 17, 2025, and moved to contain the incident. Investigators determined the attacker downloaded the full contents of the compromised employee's inbox. The compromise was limited to the single mailbox and did not affect First Advantage's broader network, systems, or service platforms. Rich Products, however, was not informed of the incident until more than four months after First Advantage's initial discovery. Consumer notification letters to affected individuals were mailed April 21, 2026.
What Was Taken
The exposed dataset was pulled directly from the compromised mailbox and varies by individual record. Confirmed data types include:
- First and last name
- Social Security number
- Driver's license number
- Date of birth
The combination of full name, SSN, government ID, and DOB is a high-value identity theft payload, sufficient to enable synthetic identity fraud, tax fraud, new-account fraud, and targeted social engineering against the affected individuals.
Why It Matters
This incident is a textbook illustration of third-party risk propagation. Rich Products had no direct compromise, yet its workforce or applicant data landed in an adversary's hands because a vendor's single employee clicked a phishing lure. The four-month gap between First Advantage's discovery of the breach and Rich Products' notification is particularly concerning, extending the window in which affected individuals were exposed to identity theft without the ability to take protective action. For defenders, the case reinforces that contractual notification timelines with processors and background-check vendors are as important as internal detection capabilities.
The Attack Technique
The threat actor used a standard phishing technique to harvest credentials for a single First Advantage employee's email account, then logged in as that user and exfiltrated the entire mailbox contents. No lateral movement into broader systems was reported, suggesting either opportunistic mailbox scraping for resale on criminal markets or a targeted play against the Drug & Occupational Health Screening Unit, which routinely handles sensitive PII in applicant screening workflows. The extended dwell window (reported as roughly four days of access before detection) was sufficient to download the full inbox.
What Organizations Should Do
- Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all mailboxes, especially in units that process PII such as HR, screening, and compliance teams.
- Apply data loss prevention (DLP) and mailbox auto-forward/bulk-download anomaly alerts to flag unusual exfiltration from a single account.
- Audit third-party and background-screening vendors for contractual breach notification SLAs; push notification windows to 72 hours or less, and require written incident summaries.
- Minimize PII retained in email by routing applicant SSNs, driver's license images, and DOBs through dedicated secured portals rather than inbox attachments.
- Run targeted phishing simulations and just-in-time training for employees in high-PII functional units like occupational health screening and HR operations.
- Maintain an incident-ready identity protection program (credit monitoring, fraud alerts) so downstream victims can be onboarded quickly when vendor breaches occur.
Sources: Rich Products Data Breach: SSNs and Government IDs Exposed