Bose Employee Data Accessed in Latest Ransomware Attack

High-end audio-tech giant Bose has disclosed the existence of a ransomware attack, which they said rippled “across Bose’s environment” and caused the possible exfiltration of employee data. According to a disclosure letter sent to the Attorney General’s Office in New Hampshire this incident first occurred on March 7th. Bose has claimed that at this point their incident-response process had been initiated. While the letter to the Attorney General’s Office didn’t mention how much the hackers were asking for, a company spokeswoman confirmed to media that Bose declined to pay the ransom and instead was able to rely on its own resources to regain control of its internal environment.

“Bose initiated incident-response protocols, activated its technical team to contain the incident, and hardened its defenses against unauthorized activity,” according to the letter filed more than two months after the incident. “In conjunction with expert third-party forensics providers, Bose further initiated a comprehensive process to investigate the incident. Given the sophistication of the attack, Bose carefully, and methodically, worked with its cyber-experts to bring its systems back online in a safe manner.”

The hackers were able to access HR files for six former employees, which included names, Social-Security numbers and compensation-related information, the team determined; however it’s unclear whether the data was successfully stolen. “The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files,” the letter explained, adding that it couldn’t confirm the state of exfiltration one way or another.

During and after the attack, Bose said that it implemented the following measures

• Enhanced malware/ransomware protection on endpoints and servers to further enhance our protection against future malware/ransomware attacks

• Performed detailed forensics analysis on impacted server to analyze the impact of the malware/ransomware

• Blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt

• Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks

• Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration

• Changed passwords for all end users and privileged users

• Changed access keys for all service accounts.