Ransomware attack on Bose exposes employee SSNs and financial information

The company was forced to notify New Hampshire officials after employees in the state had their information accessed.

In a letter to New Hampshire Attorney General John Formella, audio equipment company Bose revealed that it was hit with a ransomware attack on March 7. 

Executive guide

Ransomware: One of the biggest menaces on the web

Everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC's infected.

Read More

The letter does not say what kind of ransomware or identify which group was behind the attack, but it explains that the company "experienced a sophisticated cyber-incident that resulted in the deployment of malware/ ransomware across Bose's environment."

By April 29, Bose and forensic analysts determined that those behind the attack managed to access internal administrative human resources files that contained the social security numbers, addresses, and compensation information of some employees, including six people who live in New Hampshire. 

The company said it could not confirm that the people behind the take did not take files or information out of the system. It is unclear if a ransom was paid. 

Bose is now working with a private company and the FBI to search the dark web for any leaked information but hasn't found any indication that its data has been leaked, according to the letter. 

The company has now implemented "enhanced malware/ ransomware protection" on endpoints and servers, blocked malicious files used during the attack, put in place monitoring tools to watch for subsequent attacks, and more. 

The six employees living in New Hampshire were offered free identity protection services through IdentityForce for just 12 months while being told to "remain vigilant" and monitor their own accounts in a letter sent out to those affected on May 19.  

Cybersecurity experts said the public notifications forced on companies hit with ransomware attacks were important as other organizations try to protect themselves from similar attacks.

Saryu Nayyar, CEO of Gurucul, commended Bose for publicly disclosing the attack but noted that the timeline of events the company described in the letter was problematic. 

"It's important to share what thieves are doing as they are doing it to engage the necessary authorities and cyber defence experts to lessen the ripple effect of the attack. The notification letter was pretty thorough, however, the timelines are concerning. It took Bose 1.5 months to discover which data was accessed and potentially exfiltrated. It took another 3 weeks for the company to notify the affected individuals, which is a lifetime for an attacker to use that data for malice," she said. 

Other experts also noted the lengthy response time from Bose, which may have endangered the people affected by the breach. 

Pathlock president Kevin Dunne said Bose could have reacted faster and taken more responsibility for the attack while also laying out a clear plan for how they would prevent these future attacks from happening. 

"There is a lesson learned from this attack for all enterprises -- keep your business-critical data in the applications where it can be managed and monitored, not in spreadsheets or other unmanaged databases," Dunne said. 

"Employee data is sensitive data just like a customer, financial, or IP-related data. Enterprises should invest in an HRM system and make sure that they have good access control and data loss prevention in place to limit the risk of potential damage from employee data loss."

He added that there is a great divide in attitudes when it comes to stakeholders involved in a cybersecurity attack.  

Some companies, he explained, are overly cautious when reporting attacks on their systems because they want to avoid attracting further attacks or tipping their hand to ransomware groups that prey on a company's need to solve a problem quickly.  

"But the employees affected by the attack will want to be notified as quickly as possible so they can monitor for any unusual activity in their compromised accounts", Dunne added. 

"Shareholders are often torn, as making information about a breach public can often sink a stock price dramatically, but on the flip side, expectations can be managed better when the public is informed as early as possible about a breach," he told ZDNet

Jack Mannino, CEO at nVisium, said different states and industries have different requirements for reporting incidents. But he urged any attacked companies to be proactive about notifying victims in order to limit the scrutiny that inevitably comes after a breach. 

Some experts, like Shared Assessments CISO Tom Garrubba, said there was a misperception among some companies that they only have to disclose breach information if they are publicly traded or operate in a regulated environment. 

"Regardless of your industry, trying to keep such cards close to the chest can hinder the long-term ability of improving your cyber hygiene to fend off future events. By believing lightning doesn't strike twice, therefore, the organization may refuse to properly fund needed improvements to your cyber hygiene," he said. 

"This poses a false sense of security that by dodging the bullet of 'going public' the attitude may be one of 'it won't happen again' since no one really knows about it. And, if it does happen again and details leak of a previous breach? You may then see the rot in both your consumer base along with your business dealings as your reputation tarnishes. The overall key to success in this instance is transparency. It truly is a 'currency' in this world."