1. Incident Details:
a. What happened? Can you provide a detailed description of the cyber attack?
We have been the victim of a cyber attack, more specifically a ransom-ware attack. Key IT systems were encrypted. We have already been able to restore most systems and data from back-ups and are confident that we will be able to complete this process shortly without any loss of data. Our production has not been disrupted by this incident and we have met and are confident that we will meet all delivery deadlines.
b. When did the attack occur? What is the timeline of the incident?
On June 9, 2024, the attackers downloaded certain data from our systems and encrypted our systems. This was discovered in the morning of June 10, 2024 and we immediately shut down all internet connections to our IT systems.
c. How was the attack detected? What systems or alerts identified the breach?
We detected the attack based on our incident response plan and regular cyber security trainings.
2. Scope and Impact:
a. What data was affected? Specifically, what types of personal data were involved (e.g., names, addresses, financial information, health data)?
With respect to our external business partners, the incident involved personal data of their employees. Since we do not store any sensitive information about our business partners or their employees, this is generally limited to business contact data of our contact persons at the according company.
b. How many records were compromised? What is the estimated number of affected individuals?
The encryption affected all data on our business relationship with our external business partners that we store. As stated above, we were able to fully restore such data from backups. It is possible that the attackers downloaded certain of such data, but again, we are confident that this does not affect any sensitive information.
3. Mitigation and Containment:
a. What immediate actions have you taken to contain the attack? How have you secured your systems?
We shut down any internet access of our IT systems immediately after we had the suspicion of a cyber attack. We restored systems and data from backups which were not contaminated.
b. Have you identified and closed any vulnerabilities? What steps have been taken to prevent further access?
Yes, to the best of our knowledge. Please understand that, for IT security easons, we are unable to provide further details about our systems and security infrastructure.
c. Are there any ongoing risks? What addition measures are being implemented to mitigate them?
Our systems are already almost back in normal operation and we strongly believe that we will be able to fulfill all orders. As the attackers downloaded at least some data, it is not ruled out that they use such data for criminal actions. For example, attackers or anyone who may receive the downloaded data may use such data to spoof business emails in order to, for example, send fake invoices. However, as no sensitive data is affected, these are mostly risk scenarios that can affect anyone regardless of such cyber attacks and we generally recommend exercising caution if you receive emails with dubious content. In case of doubt, please contact us by phone or email.
4. Data Protection Measures:
a. Was the compromised data encrypted? If not, why?
Please understand that, for IT security reasons, we are unable to provide further details about our systems and security infrastructure.
b. What security measures were in place at the time of the attack? Were there any deficiencies identified?
Even before the attack, we used state of the art security systems (such as multi factor authentication and EDR) and had an incident response plan in place. Please understand that, for IT security reasons, we are unable to provide further details about our systems and security infrastructure.
c. How are you ensuring the integrity and confidentiality of the remaining data?
Please understand that, for IT security reasons, we are unable to provide further details about our systems and security infrastructure.
5. Notification and Reporting:
a. Have you notified the relevant data protection authorities? If so, when and what was communicated?
Yes, we have notified the relevant data protection supervisory authorities. This occurred within the statutory deadlines.
b. Have affected individuals been informed? What information was provided to them?
With respect to our business partners, they have already received two notifications on this incident. They may share this with any of their employees that may have been affected (i.e. mostly our contacts at these companies). In our view, there is currently no need to formally inform data subjects under Art. 34 GDPR.
c. What is your communication plan moving forward? How will you keep us updated?
We will provide additional information to our customers in the event that we deem it necessary to do so.
6. Investigation and Forensics:
a. Are you conducting a forensic investigation? Who is handling it (internal team or external experts)?
Yes, we are currently in the process of a comprehensive forensic investigation. We built a team of internal and external experts to handle this investigation.
b. What are the preliminary findings? Are there any indications of how long the attackers had access?
As this is still an ongoing investigation, we cannot share any further details.
c. Will you share the investigation report with us? When can we expect it?
We will share the report only as necessary, in particular with the competent data protection supervisory authorities. We will not share the
report with our business partners.
7. Legal and Compliance
a. What legal implications have been identified? Are there any potential regulatory fines or penalties?
We have identified the incident as a personal data breach within the meaning of Art. 33 GDPR. We do not expect any regulatory fines or penalties.
b. How are you ensuring compliance with data protection laws during this incident? What steps are being taken to address any compliance gaps?
We have notified the relevant data protection supervisory authorities. This occurred within the statutory deadlines. We are restoring our systems with a focus on maintaining and updating appropriate technical and organizational security measures.
8. Remediation and Future Prevention
a. What long-term remediation actions are planned? How will you prevent similar incident in the future?
Please understand that, for IT security reasons, we are unable to provide further details about our systems and security infrastructure.
b. Will you be updating your security policies and procedures? What changes are being implemented?
Our security policies and procedures are constantly reevaluated and up-dated as necessary. In doing so, we will of course also consider any lessons learned from this incident.
9. Communication and Support:
a. Who is the primary point of contact for this incident? How can we reach them?
Please use your existing contacts and the already known communication channels (our email system is up and running again).
b. How frequently will you provide updates? What can we expect in terms of ongoing communications?
We will provide additional information to our business partners in the event that we deem it necessary to do so.
Pingback: Westfälische Stahlgesellschaf Cyberattack - CyberMaterial