Bose Corporation (Bose) has disclosed a data breach following a ransomware attack that hit the company’s systems in early March. The Attorney General of Bose released the below statement:
“experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across” its “environment.”
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>This incident is unfortunate for Bose and the individuals whose personal data was exfiltrated. However, Bose deserves praise for their transparency in establishing and truing up their security controls. The communication should give their customers, suppliers and employees comfort that something is being done. Also, kudos for not paying a ransom and for having the appropriate backups in place. With that said, the time to put in controls for early detection and prevention of lateral movement is before these attacks occur, not after. Clearly the attackers were adept at finding \"at risk\" data and taking advantage of the lack of attack detection and prevention. Another unfortunate example of an ever-widening criminal enterprise.</p>
<p>Refreshingly, Bose didn’t pay the ransom but due to the way these incredibly frustrating attackers operate, they released the data proving they mean business. This acts in a way to drum up fear among other companies yet to be targeted who may also find themselves one day stuck in a situation of ransomware.</p> <p> </p> <p>Further to the frustration of an attack, employee data has now been breached and once again we are seeing a war on data extremely prevalent in the industry. When data is compromised, the knock on effects are huge for all parties involved and until we build better mitigation methods, attacks will continue to pursue in operation and target those who are likely to pay.</p>
<p>In ransomware attacks like the one affecting Bose in March, we look for the slivers of good news: no significant system outages, no ransom payments made, no detection of stolen data on the dark web, and of course only a small group of affected victims. I guess looking for the small victories is one way of looking at it. Another more effective approach is to observe and learn from these incidents and completely rethink your organization’s data security posture.</p> <p> </p> <p>Ask yourself some questions. Are you merely guarding the borders around your data, or are you protecting the data itself? And if you’re protecting the data, what data-centric security method are you using? More and more enterprises are turning to tokenization and format-preserving encryption to protect their most sensitive data. These methods enable most of your business applications to work with the data without de-protecting it, and no matter whose hands the data falls into, the sensitive information cannot be leveraged. This level of data security should be music to anybody’s ears.</p>