Gates Corporation in Denver describes itself as a leading manufacturer of application-specific fluid power and power transmission solutions.
On July 7, its external counsel filed a notice of a breach with the Maine Attorney General’s Office. According to the notification, 11,090 people were affected by a ransomware attack that occurred on February 11. The firm’s notification to those affected included the following statement:
We immediately notified law enforcement and engaged computer forensic experts who worked around the clock with our superb IT team to restore our systems from back-ups. The computer forensics experts have also confirmed that our IT environment is free from this malicious software going forward. Because of our planning and investments in updating and improving our IT infrastructure, we were able to restore and restart our production capabilities quickly and without having to pay the attackers.
To be clear, our restoration was due to the tireless efforts of our global IT personnel, led by Diego Silva and his leadership team, and we did not pay ransom to “decrypt” our servers and restore our operational capabilities.
That’s a nice pat on their own back and appreciation to employees, but after they discovered on April 30 that data containing human resource records with employees’ information had been exfiltrated, did they consider paying ransom to protect their employees? The records included the employees’ “name, address, date of birth, Social Security number, direct deposit information, driver’s license, and passport, if provided.”
Gates is providing some monitoring and remediation services via Kroll to employees, but to brag about not paying ransom for a decryptor when your employees’ personal information is in criminal hands and you don’t address what you did about that other than offer them monitoring services or help if they become victims of fraud or ID theft, well… it comes across as a bit tone deaf. Did they not pay extortion as a matter of principle? If so, should they have said so? Or did they pay the threat actors and are still offering mitigation services?
DataBreaches reached out to the firm’s external counsel at Greenberg Traurig to ask for clarification as to whether Gates paid, negotiated, or did nothing in response to any demands for money to delete employee data, but no reply has been immediately received.