Cyber Incident Victim: Schlumberger

On May 27, 2023, SLB became a victim of a widespread global cyberattack that specifically targeted its client file transfer service. This service was operated using the MOVEit Transfer software, a third-party application designed for secure data exchange. The attackers exploited a vulnerability within this software to gain unauthorized access to the system. The compromise was not an isolated event targeting SLB but part of a larger, coordinated campaign affecting numerous organizations worldwide that utilized the same MOVEit Transfer application. The initial intrusion involved the threat actors successfully breaching the security perimeter of the file transfer service to access data contained within it.

Upon discovery of the unauthorized activity, SLB took immediate action to contain the incident. The primary response was to swiftly cease all use of the MOVEit Transfer application, effectively taking the compromised client file transfer service completely offline and out of operation. This action served to isolate the affected system, preventing any further data exfiltration or access by the threat actors. By taking the system out of service, SLB contained the breach to a single, defined environment and halted its spread to any other corporate networks, systems, or digital infrastructure. The initial containment was a critical first step in mitigating the immediate threat.

Following the containment action, SLB engaged its internal cybersecurity team and a third-party incident response partner to initiate a comprehensive investigation into the full scope and impact of the event. The investigation was launched to determine the precise method of entry, the extent of data accessed, the duration of the unauthorized presence within the system, and the specific customers affected. The forensic analysis confirmed that the security compromise was confined exclusively to the client file transfer service that utilized the MOVEit software. No other SLB systems, networks, or services were breached during this incident. The investigation served to delineate the precise boundaries of the attack, providing certainty that the company's core operational technology and other IT environments remained secure and uncompromised.

A key finding of the investigation was that the incident impacted a very small number of SLB's customers. The compromise was limited to data associated with these specific customers that was processed through the MOVEit file transfer service. The company conducted a thorough review to identify every affected party. Upon confirmation, SLB promptly notified all impacted customers of the breach. These notifications were conducted without delay, ensuring that the affected parties were informed and could take any necessary steps on their end, although SLB stated that no action was required from its customers directly.

Further analysis into the nature of the accessed data concluded that no personal identifiable information (PII) was compromised during the incident. This determination was a significant finding, indicating that the data involved was likely related to other types of business or operational information rather than sensitive personal details of individuals. The company confirmed that all necessary remedial steps had been taken in response to the event. While the specific technical remedial actions were not detailed in public statements, the comprehensive nature of the response involving third-party experts suggests that these steps included patching vulnerabilities, reinforcing security controls, and implementing measures to prevent a recurrence of such an attack.

The public disclosure of the incident was made on May 31, 2023, through an official update on the SLB website. This communication provided a factual account of the event, the company's response, and the findings of the investigation. The update assured customers and partners that the situation was under control and that the impact was limited. SLB also provided a point of contact for any customers, partners, or suppliers who had questions regarding the cyber event, demonstrating an effort to maintain transparency and open communication channels with its stakeholders throughout the process.

The primary consequence of the incident was the temporary disruption of a specific client-facing service, the MOVEit-based file transfer system. By taking this service out of operation permanently, SLB incurred an operational impact that required alternative methods for sharing files with clients until a replacement solution could be implemented. The reputational impact was managed through direct communication with the small group of affected customers and a public statement that outlined the limited scope of the breach and the absence of compromised PII. The financial impact was likely associated with the costs of the forensic investigation, engaging third-party incident response services, and implementing remedial security measures.

The global nature of the attack underscores that SLB was one of many entities targeted through a vulnerability in a widely used software product. The company's response highlights a focus on rapid containment, thorough investigation, and transparent communication. The confirmed scope of the incident, limited to a single application and a small subset of customer data without PII, indicates a successful containment strategy that prevented a more significant breach. The event concluded with the decommissioning of the affected service and the completion of all necessary remedial actions, as confirmed by the company.