Canadian airplane maker Bombardier announced that it suffered a breach that exposed employee, customer, and supplier data.

Headquartered in Montréal, Canada, Bombardier is present in more than 12 countries including its production/engineering sites and its customer support network. The Corporation supports a worldwide fleet of approximately 4,900 aircraft in service with a wide variety of multinational corporations, charter and fractional ownership providers, governments and private individuals.

As part of its investigation, Bombardier sought the services of cybersecurity and forensic professionals who provided external confirmation that the company’s security controls were effective in limiting the scope and extent of the incident. Bombardier also notified appropriate authorities, including law enforcement, where required and will continue to work with the authorities as the investigation continues.

It is believed that the attackers gained access via a zero-day vulnerability in Accellion FTA, a third-party web server used to host and share large files, which allowed them to steal sensitive information and publish it on a dark web portal run by the Clop ransomware gang. Forensic analysis revealed that personal and other confidential information relating to employees, customers and suppliers was compromised. Approximately 130 employees located in Costa Rica were impacted. 

The ongoing investigation indicates that the unauthorized access was limited solely to data stored on the specific servers, and according to Bombardier, manufacturing and customer support operations have not been impacted or interrupted. Bombardier confirmed the company was not specifically targeted—the vulnerability impacted multiple organizations using the application. 

John Shier, senior security advisor at Sophos, says, “The breach announced by Bombardier on February 23, follows a February 22 announcement by Accellion acknowledging attacks against its legacy file transfer application. The significance of this breach is notable not only by its latest victim, but also in the aggregate of previous leaks attributed to the same criminal group and using the same vulnerability. It highlights the potential risks posed by legacy applications that are allowed to persist in production networks.

Shier adds, "While it may be cold comfort to the victims of this breach, it is encouraging that some of Bombardier's proactive mitigations helped contain the attack. This containment is an example of how companies can limit their supply chain risks. That said, the breach also exposed third-party information entrusted to Bombardier, which re-enforces the importance of end-to-end supply chain integrity. Each member of a supply chain must do their part in securing the assets under their control to mitigate the potential risks and harms to everyone else.”