Full Report
On February 13, 2025, Terra Holdings learned of suspicious activity on certain systems in its environment. Upon learning this, Terra Holdings immediately launched an investigation with the assistance of third-party forensic specialists to determine the nature and scope of the activity. As a result of the investigation, Terra Holdings and the forensic specialists determined that certain files were accessed or taken without authorization between February 11, 2025, to February 13, 2025. Therefore, Terra Holdings and the specialists undertook a comprehensive review of the data at risk to assess if any sensitive information could be affected, and to whom it related. Because of the complexity of the data, it was not until January 26, 2026, that the specialists could identify the individuals whose data could have been impacted and on May 8, 2026, Terra Holdings determined there was sufficient information to provide direct notice to you.
Analysis Summary
# Incident Report: Terra Holdings, LLC Data Breach
## Executive Summary
Terra Holdings, LLC experienced a targeted external system breach in February 2025, during which unauthorized actors accessed and exfiltrated sensitive files over a three-day period. Following an extensive forensic review that lasted nearly a year, the organization identified 3,918 affected individuals. The incident was mitigated through third-party forensic intervention, and affected parties were offered credit monitoring services starting in May 2026.
## Incident Details
- **Discovery Date:** February 13, 2025 (Initial suspicion); May 8, 2026 (Final determination of scope)
- **Incident Date:** February 11, 2025 – February 13, 2025
- **Affected Organization:** Terra Holdings, LLC
- **Sector:** Other Commercial (Real Estate/Holding Company)
- **Geography:** New York, NY, USA
## Timeline of Events
### Initial Access
- **Date/Time:** February 11, 2025
- **Vector:** External system breach (Hacking)
- **Details:** Unauthorized actors successfully breached the network perimeter and gained access to internal systems.
### Lateral Movement
- **Details:** Specific techniques were not disclosed in the notice, though attackers maintained access across "certain systems" for approximately 48–72 hours to identify valuable data.
### Data Exfiltration/Impact
- **Details:** Between February 11 and February 13, 2025, certain files were accessed or taken without authorization. The data included names or other personal identifiers in combination with sensitive information.
### Detection & Response
- **February 13, 2025:** Terra Holdings detected suspicious activity and launched a forensic investigation.
- **January 26, 2026:** Forensic specialists completed the complex data review to identify specific impacted individuals.
- **May 8, 2026:** Final determination made that sufficient information existed to provide direct notification.
- **May 15, 2026:** Written notifications sent to affected consumers.
## Attack Methodology
- **Initial Access:** Hacking (External system breach)
- **Persistence:** Not disclosed
- **Privilege Escalation:** Not disclosed
- **Defense Evasion:** Not disclosed
- **Credential Access:** Not disclosed
- **Discovery:** Review of internal file systems
- **Lateral Movement:** Movement across "certain systems" in the environment
- **Collection:** Gathering files for exfiltration
- **Exfiltration:** Unauthorized removal of files between Feb 11–13
- **Impact:** Unauthorized access and theft of PII (Personally Identifiable Information)
## Impact Assessment
- **Financial:** Costs associated with 12 months of credit monitoring for 3,918 individuals and third-party forensic services.
- **Data Breach:** Compromise of names and other personal identifiers; 3,918 individuals affected (including 5 Maine residents).
- **Operational:** No reported business disruption; resource-intensive data review lasting 11+ months.
- **Reputational:** Potential impact due to the 15-month delay between initial discovery and final notification.
## Indicators of Compromise
- **Network indicators:** None disclosed in public filing.
- **File indicators:** None disclosed in public filing.
- **Behavioral indicators:** Suspicious system activity detected on February 13, 2025.
## Response Actions
- **Containment:** Immediately launched an investigation with third-party forensic specialists upon detection.
- **Eradication:** Assumed removal of unauthorized access points during the forensic investigation.
- **Recovery:** Conducted a comprehensive, year-long review of "complex" data to ensure all impacted parties were identified.
- **Protection:** Offered 12 months of credit monitoring through Epiq.
## Lessons Learned
- **Visibility:** Early detection on February 13 limited the exfiltration window to three days, preventing a longer-term persistence.
- **Data Complexity:** The organization encountered significant delays (nearly 1 year) in identifying affected individuals due to the "complexity of the data," highlighting the need for better data classification and indexing.
## Recommendations
- **Enhanced Logging:** Implement robust file integrity monitoring (FIM) and EDR solutions to detect unauthorized file access in real-time.
- **Data Minimization:** Review and purge unnecessary sensitive data to reduce the complexity and scope of future forensic reviews.
- **Incident Response Planning:** Streamline the data review process with pre-vetted vendors to shorten the window between discovery and notification.
- **MFA:** Ensure Multi-Factor Authentication is enabled on all external-facing systems to prevent unauthorized initial access.