American audio equipment maker Bose Corporation has revealed it was the victim of a ransomware attack that occurred in early March.
In a breach notification letter filed with New Hampshire's Office of the Attorney General Bose said it detected the cyberattack on its environment the same day it took place, on March 7, and immediately initiated incident response protocols.
“Bose Corporation experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across Bose’s environment. Bose first detected the malware/ransomware on Bose’s U.S. systems on March 7, 2021,” the company said.
The following investigation into the matter revealed that intruders gained access and possibly exfiltrated the internal administrative human resources files related to several former Bose employees. The exposed info included name, Social Security Number, and compensation-related information.
“The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files. However, we do not have evidence to confirm that the data contained in these files was successfully exfiltrated, but we are also unable to confirm that it was not,” the company explained, adding that it “has engaged experts to monitor the dark web for any indications of leaked data, and has been working with the U.S. Federal Bureau of Investigation.”
After the ransomware attack, Bose took the following measures to defend against future attacks:
-Enhanced malware/ransomware protection on endpoints and servers to further enhance our protection against future malware/ransomware attacks.
-Performed detailed forensics analysis on the impacted server to analyze the impact of the malware/ransomware.
-Blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt.
-Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks.
-Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration.
-Changed passwords for all end-users and privileged users.
-Changed access keys for all service accounts.
The company did not share the additional information on the ransomware involved in the attack.