Canadian aircraft manufacturer Bombardier suffered a security breach this month that compromised information associated with employees, customers, and several suppliers.
Data compromised in the breach included confidential information relating to 130 employees in Costa Rica. Bombardier said it is now working with law enforcement authorities and has also notified appropriate authorities about the breach. The aircraft manufacturer has also started contacting customers and other external stakeholders whose data was potentially compromised.
“An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the company said.
Based on Bombardier’s statement, there is a possibility that the security breach it suffered could be owed to Accellion’s legacy File Transfer Appliance (FTA) software, critical vulnerabilities in which were exploited by a hacker group to steal data belonging to a large number of organisations.
According to Bombardier, the stolen data which was taken from specific servers, was uploaded by hackers on the dark web portal. ““Bombardier can also confirm the company was not specifically targeted—the vulnerability impacted multiple organizations using the application. Bombardier will continue to assess the situation and stay in close contact with its clients, suppliers and employees, as well as other stakeholders,” it added.
In January, Accellion said in a press release that Accellion File Transfer Appliance (FTA), a popular yet 20-year-old file-sharing software, was targeted by cyber criminals who exploited zero-day vulnerabilities in the legacy application to steal data associated with around 50 customers. In another update to the security incident, the company later said it had patched all vulnerabilities in the FTA software.
According to Accellion, its enterprise mobile solutions, including the new kiteworks mobile file sharing and collaboration solution, are used by government agencies worldwide which include the US Securities and Exchange Commission, NASA, the NHS, London Fire Brigade, London Borough of Camden, City of Toronto, County of Sacramento, Government of South Australia ICT, and the California Office of Statewide Health Planning & Development.
Commenting on the data theft suffered by Bombardier, Rich Vibert, CEO and co-founder at data privacy startup Metomic said the exposure of sensitive information from Bombardier and 24 other companies because of an outdated Accellion product shouldn't be happening. This could have easily been avoided and is a huge call to action for all businesses to rethink data security, privacy and compliance.
“With a privacy first approach, companies have to pre-emptively review how the tools they use are protecting their information, and identify in advance when an update is required. By thinking about privacy as a business priority – instead of a box to be ticked – they will prevent future leaks and retain the power of data without the risk of losing the trust of customers,” he added.
Sam Curry, Chief Security Officer at Cybereason, says the silver lining for Bombardier is that they can use the opportunity from this latest breach to invest more time in checking all entry points to systems and their global network, and hopefully root out any other suspicious activity.
“While small in nature, the alarms should be blaring for all companies because Bombardier has admitted that designs for airplanes and plane parts are now available for free on the dark web. Losing IP is devastating for companies and, in this case, don't be surprised when China, Russia and other nation states use the stolen information for profit.”
Image Source: Bombardier