If you’re an Arbonne distributor you might want to keep an eye on your financial statements over the next few months.

In an exhibit attached to a data breach notification letter filed with the Office of the Attorney General of California, Arbonne has disclosed a data breach.

The incident happened on April 20th, with Arbonne maintaining it became aware of “unusual activity within a limited number of internal systems”.

While the investigation remains ongoing, the preliminary investigation determined that certain information in Arbonne’s systems may have been accessed without authorization.

By April 23rd Arbonne had identified a “data table” that had been accessed by persons unknown.

Arbonne confirmed that the information that could have been subject to unauthorized access includes personal information … such as name, address, username and password.

Arbonne notified 3,527 affected Californian residents, although written notice wasn’t initiated until May 22nd.

In the interim, Arbonne initiated a forced password reset for affected accounts.

Arbonne is also reviewing and enhancing existing policies and procedures.

Arbonne is providing access to credit monitoring and identity protection services for one year through Kroll, to individuals whose personal information was potentially affected by this incident, at no cost to these individuals.

Arbonne has also reported this matter to the FBI and relevant regulators.

Arbonne maintains that their investigation thus far

has not determined that payment card information or government ID information, such as Social Security numbers, were accessed.

Better to be safe than sorry in my opinion. I’d be getting onto any external accounts that share the same password, as well as going over methods of payment.

What lead to Arbonne’s data breach has not been disclosed. Assuming it wasn’t negligence on their part, Arbonne appear to be doing the right thing by their distributors.

What I’m unclear on is whether this breach was localized to California or whether it was company-wide.

We know about it in California because, by law, Arbonne have to notify authorities.

Whether Arbonne data was breached for distributors in other states, and if so what the total number of accounts affected is, remains unclear.

Bleeping Computer reached out to Arbonne for comment but didn’t hear back.

The publication recommends

Maryland, New York, New Mexico, North Carolina, and Rhode Island residents are advised to contact their Attorney General for more info.

We’ll keep you updated if we come across any updates.