In a breach notification letter filed with New Hampshire's Office of the Attorney General, Bose said that in early March 2021, the company "experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across" its "environment."
At the time, Bose initiated incident response protocols, activated its technical team to contain the incident and hardened its defense against unauthorized activity. In conjunction with expert third-party forensics providers, Bose initiated a comprehensive process to investigate the cyberattack, and worked with its cyber experts to bring its systems back online. As the system was restored, the company worked with forensic experts to determine the data that was accessed and exfiltrated.
While investigating the ransomware's attack impact on its network, the audio maker discovered that some of its current and former employees' personal information was accessed by the attackers. The personal information contained in these files included names, Social Security Numbers, and compensation-related information. According to Bose, the threat actor had access to a "limited set of folders within these files."
The company has no evidence to confirm that the data contained in these files was successfully exfiltrated, but they were also unable to confirm that it was not.
The company has also engaged experts to monitor the dark web for any indications of leaked data, and has also coordinated with the U.S. Federal Bureau of Investigation. Currently, there is no indication through its monitoring activities or from impacted employees that the data that was accessed has been "unlawfully disseminated, sold, or otherwise disclosed."
In addition to offering impacted New Hampshire individuals identity protection services for 12 months, free of charge, Bose sent notifications letters about the incident to the affected individuals on May 19, 2021. Kevin Dunne, President at Pathlock, a Flemington, New Jersey-based provider of unified access orchestration, explains, "When addressing the Bose communication directly, there are both some positives and negatives to how they handled the communication to affected individuals. On the positive, they acknowledged the attack, contacted the affected individuals directly, and offered up a small concession (12 months of identity protection). What lacked in the Bose response was faster response time, as more than 60 days passed between when the breach was detected and when the affected individuals were notified. Additionally, they could have taken more responsibility for the attack and laid out a clear plan for how they would prevent these future attacks from happening."
Regardless, says Dunne, there is a lesson learned from this attack for all enterprises: "Keep your business critical data in the applications where it can be managed and monitored, not in spreadsheets or other unmanaged databases. Employee data is sensitive data just like customer, financial, or IP related data. Enterprises should invest in a HRM system and make sure that they have good access control and data loss prevention in place against their HRM. This way, the risk of potential damage from employee data loss can be minimized."
According to Bose, the company has enhanced malware and ransomware protection on endpoints and servers to protect against future attacks. It has also performed detailed forensics analysis on impacted server to analyze the impact of malware and ransomware, blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt, enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks, blocked newly identified malicious sites and IPs linked to the threat actor on external firewalls to prevent potential exfiltration, changed passwords for all end users and privileged users, and changed access keys for all services accounts.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions, explains, "Ransomware attacks are on the rise and evolving into a very dangerous digital weapon. Not only are they on the rise, they are becoming more successful, more damaging and the ransom demands are increasing into tens of millions of dollars. Ransomware and data theft continues to be the biggest threats to organizations around the world and no one is immune."
In addition, Carson says, "Bose has demonstrated strong communication and transparency around the attack and demonstrates yet again why clear communication is critical during security incidents. Working with industry experts and law enforcement ensures that they can quickly restore business operations with data integrity as well as help others prevent such incidents occurring further."
"The hard requirement for reporting depends on many things including industry, location, compliance scope, and the breach’s impact, says Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider. "Companies that are forthcoming about breaches, and demonstrate a genuine desire to harden their defenses proactively, avoid some of the scrutiny that inevitably comes when an organization attempts to construct their own narratives based on limited public information."