Cyber Incident Victim: Pitney Bowes
Date:
Apr 2020
Location:
United States of America
Summary
A global business services company experienced a Maze ransomware intrusion where attackers exfiltrated sensitive data but failed to deploy encryption. This incident occurred shortly after a separate Ryuk ransomware attack against the same organization. The threat actors stole internal documents including company reports, customer operations details, executive emails, and system certificates, subsequently publishing directory screenshots as proof of compromise. While the company prevented file encryption through early detection and third-party security collaboration, attackers accessed folders containing financial forecasts, employee records, and meeting agendas. Investigation revealed limited unauthorized access to IT systems, with ongoing assessments to determine the full scope of data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 30, 2020, Maze ransomware operators infiltrated Pitney Bowes' systems but were prevented from executing their encryption routine due to the company's defensive actions. This marked the second ransomware incident affecting the company within seven months, following an October 2019 Ryuk attack. The attackers exfiltrated data prior to attempted encryption, subsequently publishing directory screenshots and executive contact information on their leak site under the "New Clients" section as proof of compromise. The stolen data included folders containing company reports, financial forecasts, operating expenses, customer operations calendars, meeting agendas, Citrix-related files, security certificates, phone lists, customer databases, and current employee information. Modified timestamps on some folders indicated the attackers maintained access through at least April 30. Specific compromised personal and work email addresses belonged to three senior executives: Bill Borrelle (SVP and Chief Marketing Officer), Manish Choudhary (former SVP for SMB Products & Strategy), and Cliff Rucker (SVP of Client and Partner Success).
Pitney Bowes detected the intrusion and engaged third-party security consultants to implement immediate containment measures that blocked the encryption phase. The company launched an investigation to determine the scope of data exposure, initially assessing the breach as "limited" with no evidence of ongoing unauthorized access. Maze operators deviated from their typical victim announcement format by omitting a lock date, confirming encryption did not occur. While forensic analysis continued, the organization publicly confirmed the attackers accessed some business documents and executive communications but emphasized no further system compromises were identified. The incident exposed sensitive corporate information and employee data, creating potential reputational and operational risks, though full impact assessment remained ongoing at the time of reporting.