Well, this is a bit different.
On February 13, MKS Instruments in Massachusetts (the U.S. parent company of the MKS and Atotech group of companies) became aware of a ransomware event. By February 16, they issued a notification letter to former and current employees who may have been affected.
Their notification informed employees that, “While exfiltration of personal employee data has not been confirmed, we cannot rule it out and thus are providing notice.”
(That’s not the different part. Stay with me….)
After noting that they could not rule out whether personal employee data had been exfiltrated, they wrote,
Our understanding is that, in similar prior cases affecting other companies, ransomware actors have appeared to refrain from using personal data against individuals.
Somewhat surprised to read that, especially since some threat actors have reached out to employees, students, or patients in other cases to try to extort them, DataBreaches posted a question on Infosec.Exchange asking whether anyone had ever seen an assurance like that in a breach notification letter.
The wholly unscientific query produced no “yes” responses and a few “no’s.”
In any event, MKS writes that the types of personal data that may have been involved,
“where collection of such personal data is permitted by local law,” included:
Name, contact information, address, government ID numbers (including Social Security Number in the U.S.), work login credentials/passwords, marital status, veteran status, nationality, immigration status, race, religious beliefs (where MKS is required by law to collect), education, employment history, date of birth, gender, sexual orientation, bank account information, payment card information, information about compensation and equity, information about job position and time/hours worked, information about disabilities, health and medical conditions, employer union, health insurance information, basic information regarding your partner, children and emergency contacts (such as name, age, and contact details), if applicable.
That’s a lot of personal information and hopefully, MKS is pursuing trying to determine if data were actually exfiltrated. They are offering those being notified identity monitoring for 2 years.
The notification does not indicate how many people have been notified or whether HHS has been notified. Nor does the letter provide any details on the ransomware incident such as what type of ransomware or whether there was any negotiation with any ransomware group.
Their full notification can be read on the Montana Attorney General’s website. For a report on some of the breach’s impact on its customers, see this news article on Bloomberg.
MKS’s website currently displays a message, “Unfortunately, www.mks.com is experiencing an unscheduled outage. Please check back again at a later time.”
DataBreaches has submitted an email to their worldwide email address to ask about the type of ransomware and how many people are being notified. The email also asks for the source of their understanding that criminals refrain from misusing the personal information of employees.
Link to Bloomberg article, “Applied Materials’ Sales Shortfall Linked to Cyberattack at MKS,” added post-publication.
Update: Katie Coleman from communications firm Kekst CNC responded to the email inquiry, “The 8-K currently includes all the information we have to share publicly at this point.”