In late May, Bose announced that it experienced a data breach following a ransomware attack against its systems in early March. Bose discovered that using access to HR systems, attackers accessed current and former Bose employees’ personal data – specifically names, social security numbers, compensation information, and other HR-related information.
Bose refused to pay the ransom as it was able to swiftly recover and secure its systems with the help of third-party cybersecurity experts. Following the attack and recovery of its systems, Bose took the additional step of using its retained experts to monitor the internet for any indication that the compromised employee information had been leaked or disseminated. To date, Bose has reported that no such leak has occurred.
In addition to providing free identity protection services to the affected individuals for 12 months, Bose implemented new and additional security measures to defend its systems and lessen the risk of future infiltration:
- Enhanced malware/ransomware protection on endpoints and servers.
- Blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt using similar tools.
- Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks.
- Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration.
- Changed passwords for all end-users and privileged users.
- Changed access keys for all service accounts.
Although Bose was able to swiftly combat and remediate the attack without having to pay any ransom, many companies are not. Cybercriminals target and exploit the fact that companies fail to incorporate necessary detection, response, and mitigation measures into their data security, and that the humans working at those companies do not always make use of the tools available. This incident not only highlights the vulnerability of companies of all sizes and sophistication but also the value of confidential employee data. As ransomware attacks become increasingly familiar threats, it is crucial that companies take the necessary steps to protect both customer data and data collected from their own employees.
Such efforts are required or soon will be by the scores of data protection statutes in force now or being debated in states and in the federal government, many of which grant rights to employees to seek relief should their data be exfiltrated from their employer. For example, the California Consumer Privacy Act, a state statute intended to enhance privacy rights and consumer protection, establishes a private right of action giving consumers whose personal information is subject to a data breach the right to sue the breached business. The term “consumer” refers to any resident of California, including employees (although pursuant to the California Privacy Rights Act, employees will not have the right to sue under the California Consumer Privacy Act until January 1, 2023).
Similarly, Virginia recently enacted a Consumer Data Protection Act which may provide employees with a private right of action in the future. A number of other states are currently debating similar laws and implementing updates to existing laws. As such, individuals are gaining more rights over their data across nearly all jurisdictions, supported, too, by a growing library of supporting case law.