On June 29, 2023, Bristol Myers Squibb filed a notice of data breach with the Attorney General of Montana after confirming that MOVEit, a file transfer software used by BMS, contained a vulnerability that allowed hackers to access confidential information that had been provided to BMS. In this notice, BMS explains that the incident resulted in an unauthorized party being able to access employees’ sensitive information, which includes their names, Social Security numbers, email addresses, mailing addresses, phone numbers, dates of birth, genders, ethnicities and employment status. Upon completing its investigation, BMS began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from Bristol Myers Squibb, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the MOVEit / Bristol Myers Squibb data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting Bristol Myers Squibb Employees?

The Bristol Myers Squibb data breach was only recently announced, and more information is expected in the near future. However, BMS’s filing with the Attorney General of Montana provides some important information on what led up to the breach. According to this source, on May 31, 2023, BMS was informed that MOVEit, a file transfer program used by BMW, contained a vulnerability allowing unauthorized parties to access confidential information contained on the BMS MOVEit server.

In response, Bristol Meyers Squibb took the MOVEit software offline, installed all available patches to eliminate the vulnerability, and then launched an investigation to determine what, if any, confidential employee data was compromised.

On June 1, 2023, the BMS investigation confirmed that confidential BMS data had been accessed and downloaded by an unauthorized party as early as May 27, 2023.

After learning that sensitive employee data was accessible to an unauthorized party, Bristol Myers Squibb reviewed the compromised files to determine what information was leaked and which employees were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, email address, mailing address, phone number, date of birth, gender, ethnicity and employment status.

On June 29, 2023, Bristol Myers Squibb sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what data of theirs was compromised.

Because the incident only involved BMS’s MOVEit server, none of the company’s core IT systems were affected by the recent breach.

More Information About Bristol Myers Squibb

Bristol Myers Squibb is a pharmaceutical company based out of New York City, New York. BMS manufactures prescription pharmaceuticals and biologics designed to treat a wide range of conditions and illnesses, including cancer, HIV/AIDS, cardiovascular disease, diabetes, hepatitis, rheumatoid arthritis, and psychiatric disorders. Bristol Meyers Squibb is traded on the New York Stock Exchange under the symbol “BMY.” Bristol Myers Squibb employs more than 34,000 people and generates approximately $46 billion in annual revenue.