Morley Companies, an organization that provides business services to dozens of Fortune 500 companies, said this week it was hit with a ransomware attack last year that led to the leak of sensitive information for more than 500,000 people.
In a press release, the company said the ransomware attack began on August 1 and made their data "unavailable." Despite requests for comment, the company would not explain why it waited until now to notify the 521,046 people affected, some of whom had their Social Security numbers leaked in the attack.
The company said the attack affected the information of "current employees, former employees and various clients." The information leaked includes names, addresses, Social Security numbers, dates of birth, client identification numbers, medical diagnostic and treatment information, and health insurance information.
Morley said it hired cybersecurity experts to respond to the situation but needed six months to collect the "contact information needed to provide notice to potentially affected individuals."
Morley does not say it was a ransomware attack in the public notice, but in the letters sent to victims, they provide more information. In filings with the Maine's Office of the Attorney General, the company explains that 521,046 people were affected.
"That investigation revealed that a ransomware-type malware had prevented access to some data files on our system beginning August 1, 2021, and there was an unauthorized access to some files that contained personal information. We then worked diligently to prevent further access and identify impacted individuals. Special programming was required, and unique processes had to be built in order to begin analyzing the data," Morley said.
"The data complexity also required special processes to search for and identify key information. This process was lengthy but necessary to ensure appropriate notification occurred. On January 18, 2022, it was confirmed that your information was involved."
The company said it would provide credit monitoring and identity theft protection services to those affected. A call center has been established to answer questions about the issue.
The company offers back-office processing, meetings and incentives management as well as exhibits and displays production to its clients.
Cerberus Sentinel's Chris Clements said it is overwhelmingly likely that the attackers had access to Morley data for weeks or even months before they ran their ransomware, locking Morley and their customers out of their data.
"During this timeframe, people exposed to risk of fraud or identity theft may have been actively targeted while being oblivious to their risk. It's incumbent upon any organization that stewards potentially sensitive data provided by their users that they not only defend it as well as possible but that they also have the capabilities to quickly identify potentially compromised information and notify those affected should the worst happen. Those processes should be part of any incident response plan and regularly tested," Clements said.
"The unfortunate reality is that far too many organizations don't have effective auditing controls to identify when data is access and by whom, or means to detect unusually high levels of access or exfiltration that can indicate that an attack is happening. Monitoring or controls to limit speed and volume of data access is a critical control that is often overlooked when planning cybersecurity strategy. Actions like alerting if a user's account is accessing data during unusual or non-work hours or pulling 200 records in an hour when they normally access 20 can be instrumental in proactively detecting and limiting exposure from a potential breach."