Full Report
On or around November 13, 2025, we identified suspicious activity occurring within our environment. In response, we quickly took some of our systems offline to stop the activity and followed our incident response protocols. As part of that process, we brought in independent cybersecurity specialists to help us understand what happened and to make sure our network was secure. We also notified federal law enforcement. The investigation found that an unauthorized actor had access to certain Morningstar systems from November 12 to November 13, 2025, when we cut off that access. During this time, the unauthorized actor was able to potentially view and/or obtain certain information stored on our systems.
Analysis Summary
# Incident Report: Morningstar Properties Data Breach
## Executive Summary
On November 13, 2025, Morningstar Properties, LLC identified a cybersecurity incident involving unauthorized access to its systems. An investigation revealed that an external threat actor gained access to the environment for approximately 24 hours, during which they potentially viewed or obtained sensitive personal information belonging to 1,218 individuals. The company responded by taking systems offline, engaging forensic specialists, and notifying federal law enforcement to contain the threat.
## Incident Details
- **Discovery Date:** November 13, 2025
- **Incident Date:** November 12, 2025 – November 13, 2025
- **Affected Organization:** Morningstar Properties, LLC
- **Sector:** Real Estate / Storage & Marinas
- **Geography:** Matthews, PA, USA (and other North American locations)
## Timeline of Events
### Initial Access
- **Date/Time:** November 12, 2025
- **Vector:** External system breach (Hacking)
- **Details:** An unauthorized actor gained access to specific Morningstar systems.
### Lateral Movement
- **Details:** The investigation confirmed the actor had access to "certain systems," suggesting limited movement within the environment before detection.
### Data Exfiltration/Impact
- **Details:** Between November 12 and November 13, the actor was able to potentially view and/or obtain information stored on the compromised systems, including names and other personal identifiers.
### Detection & Response
- **Discovery:** November 13, 2025, via identification of suspicious activity.
- **Response actions:** Systems were taken offline immediately; incident response protocols were initiated. Access was successfully cut off on November 13.
## Attack Methodology
- **Initial Access:** Hacking / External system breach (Specific entry point like VPN or Phishing not disclosed).
- **Persistence:** Not explicitly detailed; however, access lasted for a duration of approximately one day.
- **Defense Evasion:** Not detailed, though the quick discovery suggests the actor's activities triggered internal alerts.
- **Collection:** Data stored on compromised systems was accessed/viewed.
- **Exfiltration:** Potential acquisition of stored information.
- **Impact:** Potential data breach affecting PII of over 1,200 individuals.
## Impact Assessment
- **Financial:** Costs associated with forensic specialists (Troutman Pepper Locke LLP) and legal counsel.
- **Data Breach:** Compromised PII for 1,218 individuals (Names and unspecified personal identifiers).
- **Operational:** Partial business disruption due to taking systems offline for containment.
- **Reputational:** Public disclosure via State Attorney General offices and notification of affected consumers.
## Indicators of Compromise
- **Network indicators:** None disclosed in the public notice.
- **File indicators:** None disclosed.
- **Behavioral indicators:** "Suspicious activity" within the internal environment triggered the response.
## Response Actions
- **Containment:** Targeted systems were taken offline immediately upon discovery.
- **Eradication:** Unauthorized access was revoked/cut off on November 13, 2025.
- **Investigation:** Engaged independent cybersecurity specialists to conduct a forensic review.
- **Notification:** Notified federal law enforcement and submitted formal notices to state regulators (e.g., Maine Attorney General). Affected individuals were notified via mail on May 19, 2026.
## Lessons Learned
- **Detection Speed:** Rapid identification (within 24 hours of initial access) prevented a long-term dwell time scenario.
- **Isolation Policy:** The ability to quickly take systems offline was critical in stopping the actor’s progression.
- **Notification Lag:** There was a significant gap between the incident (Nov 2025) and consumer notification (May 2026), suggesting a lengthy forensic process to identify the exact scope of affected data.
## Recommendations
- **Access Management:** Implement or review Multi-Factor Authentication (MFA) on all external-facing systems.
- **Log Monitoring:** Enhance real-time alerting for the specific "suspicious activity" that led to this discovery to further reduce dwell time.
- **Data Minimization:** Review information storage policies to ensure that sensitive personal identifiers are only kept as long as necessary, reducing the "blast radius" of future breaches.