An online security breach at a national printing chain leaked thousands of sensitive documents — from labor filings involving NFL players to lawsuits against Hollywood studios to personal immigration-related papers — raising the possibility that private information could end up in the wrong hands.
The leak at PIP printing, which has more than 400 locations in 13 countries, went on for four months before it was repaired Tuesday, cybersecurity experts involved in investigating the breach told NBC News. But there's no evidence that any hackers may have stumbled upon the files to use them for malicious purposes, they add.
The documents, which NBC News examined, ranges from emails revealing credit card and social security numbers to legal filings such as depositions, subpoenas and labor lawsuits. Extensive medical records belonging to high-profile athletes were also at risk.
PIP owner Michael Bluestein told NBC News that the breach appeared to stem from a third-party IT firm that accidentally misconfigured the backup protocols — essentially leaving a "back door" open in the system.
"After discovering the breach, we acted quickly to lock down access to our database," Bluestein said. "We immediately strengthened our security controls. We changed all passwords, took offline all computers that may have been affected and brought in forensic IT experts."
Bluestein added that stronger-than-normal protections are being employed to further lock down the PIP system: "New firewalls are being installed. We are even going above the recommended security measures by also creating closed VPNs (virtual private networks) for our backup files," he said.
Bob Diachenko, whose firm Mackeeper Security Research Center investigated the breach, said it was first discovered in October.
The data breach potentially allowed access to sensitive labor filings on behalf of NFL players, such as disability claims with extensive HIPAA-protected medical records attached.
The NFL and the National Football League Players Association, a union for the players, both declined to comment on the private records of their athletes being exposed in the security breach.
One particularly salacious set of documents released in the leak pertained to a lawsuit filed against Hustler by a former male employee who claimed adult magazine publisher Larry Flynt's daughter sexually harassed him.
The suit was covered in the press after it was filed — but according to the leaked internal company documents, Hustler officially terminated the employee for failing to detect a "theft ring" at the Hustler Hollywood stores he oversaw as a district manager.