Bose Corporation, the popular manufacturer and seller of home audio systems, speakers, headphones, and automobile sound systems, suffered a ransomware attack in March which compromised the personal and financial information of former employees who worked at the company’s New Hampshire facility.
The ransomware incident came to light last week after Bose Corporation filed a breach notification letter with New Hampshire’s Office of the Attorney General, stating that the malware intrusion was first detected on March 7. On April 29, the company determined that hackers had accessed internal administrative human resources files that contained the names, social security numbers, and compensation-related information of six former employees who worked at the New Hampshire facility.
“Bose is committed to protecting the confidentiality of the information we maintain. Upon detection of suspicious activity within our digital network, Bose immediately initiated our incident response protocols, activated our technical team to contain the incident and hardened our defenses against unauthorised activity. We also notified the appropriate authorities of this issue as required under applicable law,” the company said.
“Bose has not received any indication through its monitoring activities or from impacted employees that the data discussed herein has been unlawfully disseminated, sold, or otherwise disclosed. Bose has engaged experts to monitor the dark web for any indications of leaked data, and has been working with the U.S. Federal Bureau of Investigation.”
“We did not make any ransom payment. We recovered and secured our systems quickly with the support of third-party cybersecurity experts. During our investigation, we identified a very small number of individuals whose data was impacted, and we sent notices to them directly in accordance with our legal requirements,” Bose Media Relations Director Joanne Berthiaume told BleepingComputer.
“There is no ongoing disruption to our business, and we are focused on providing our customers with the great products and experiences they have come to expect from Bose,” she added.
Robert Golloday, the EMEA and APAC Director at Illusive, said that Bose deserves praise for their transparency in establishing and truing up their security controls. The communication should give their customers, suppliers and employees comfort that something is being done. Also, kudos for not paying a ransom and for having the appropriate backups in place.
“With that said, the time to put in controls for early detection and prevention of lateral movement is before these attacks occur, not after. Clearly the attackers were adept at finding “at risk” data and taking advantage of the lack of attack detection and prevention. Another unfortunate example of an ever-widening criminal enterprise,” he added.