Sergiu Gatlan reports:
Artech Information Systems, one of the largest US IT staffing companies, has disclosed a data breach caused by a ransomware attack that affected some of its systems during early January 2020.
Artech is a privately-held firm with an estimated $810 million annual revenue run rate for 2019 and more than 10,500 employees and consultants across the 40 US states, Canada, India, and China.
This was one of REvil (Sodinokibi) threat actors’ attacks that had been posted on their leak site back in January. But when BleepingComputer reached out to Artech at the time to find out if they were aware of the situation or to get a response, their emails were reportedly ignored, according to Gatlan:
BleepingComputer reached out to Artech to find if they were aware of the attack and the ransomware group’s claims but our emails were ignored, with no answer received until we published this article.
Read more on BleepingComputer. Note that among the data types that may have been exfiltrated for individuals are:
“name, Social Security number, medical information, health insurance information, financial information, payment card information, driver’s license/state identification number, government-issued identification number, passport number, visa number, electronic/digital signature, username and password information…”
Artech reportedly completed its investigation at the end of June, but letters first went out at the beginning of September.
So for nine months, individuals were already at risk and no one had told them anything to put them on guard to protect themselves?
I know many in law enforcement do not like social media accounts — or even journalists — reporting on these ransomware attacks and listings on leak sites. Their argument is that it gives threat actors free publicity and increases pressure on victims to pay ransom, which only encourages threat actors even more.
But the tendency of victims NOT to disclose promptly, however they justify it, partly explains why you will continue to see these incidents revealed by others. Should BleepingComputer have even sat on the story for 9 months as it did? Some might say they were being responsible as reporting would have pointed others to exposed data, but others might argue that they left the public in the dark for nine months when their responsibility as journalists was to inform the public.
We’re in a no-win situation.