Cyber Incident Victim: Halma plc

On or around May 27, 2023, a cyber-attack targeted a file transfer system called MOVEit, a third-party software application utilized by a large number of companies globally. This widespread attack affected several thousand businesses. Halma plc, a UK-based commercial entity located at Misbourne Court, Rectory Way, Amersham, Bucks, HP7 0DE, was among the organizations impacted through its technology vendor. The attackers compromised the MOVEit system and may have illegally exfiltrated data held there. The specific vulnerability was isolated to this particular piece of third-party software. Halma itself was not directly hacked; the incident constituted a data breach of its third-party software provider.

Halma was formally notified of the potential compromise by its technology vendor, MOVEit, on June 8, 2023. This notification alerted Halma that US employee personal data was held on the compromised system and may have been illegally exfiltrated as part of the global attack. Upon becoming aware of the incident, Halma immediately began working with its cybersecurity partners to secure the data. The compromised system was disconnected to isolate the vulnerability. The company also initiated active monitoring of the Dark Web and other parts of the internet to assess whether any Halma data had been leaked or was being shared illegally.

The data involved in the incident pertained to current and former US employees of Halma and its group companies, as well as US employee beneficiaries. The compromised information included personal information related to employment. For some, but not all, individuals, information relating to dependents was also accessed. The specific types of personal information acquired included an individual's name or other personal identifier in combination with their Social Security Number. The breach did not include any log-in passwords for Halma systems.

The total number of persons affected by this incident was 7,105 individuals. This figure included 243 residents of New Hampshire and 5 residents of Maine. Halma, through its legal counsel Womble Bond Dickinson (US) LLP, began notifying the impacted New Hampshire residents on June 12, 2023. Notification to the affected Maine residents was conducted electronically on June 23, 2023. The method of notification for individuals in other states was not explicitly detailed in the provided evidence but was conducted as required by relevant statutes.

The company's response included direct communication with affected individuals to explain the nature of the breach and the steps being taken. A message from Jennifer Ward, Group Talent and Communications Director for Halma, was distributed to inform employees that the data breach was part of the larger MOVEit attack and to provide guidance on protective actions. The notice clarified that Halma or its constituent companies had not been directly hacked and that the vulnerability was confined to the third-party provider's system. It was confirmed that payroll services and providers were not affected, ensuring employee pay would not be impacted.

As part of its remedial actions, Halma offered all affected employees access to identity theft protection services. These services were provided by Experian and included credit monitoring, identity restoration, and identity theft insurance. The duration of these protection services was 24 months. The company advised impacted individuals to be alert to potential scams, such as suspicious emails, phone calls, or text messages from unknown sources, and cautioned against divulging personal information like passwords. Individuals were instructed not to click on links or attachments in suspicious emails and to verify any questionable communications through alternative means.

Further guidance recommended that employees contact their banks, where their salaries were paid, for advice on any additional security steps to take. While no Halma passwords were compromised, employees were advised to follow good security practices, including changing passwords regularly, using long and strong passwords with a mixture of characters, enabling multi-factor authentication where available, and considering the use of a password manager. The company established a point of contact for employees to direct questions or report any suspicious communications to their local IT helpdesk. A dedicated channel was also set up for employees who wished to know the specific data of theirs that had been accessed.

Halma's legal representatives provided the required notifications to state authorities. A letter was sent to the New Hampshire Attorney General's office on June 21, 2023, in compliance with state statutes. A similar submission was made to the Maine Attorney General, providing details on the scope of the breach affecting Maine residents. The notification materials included copies of the consumer notices and detailed the protective measures being offered. The company committed to keeping affected individuals informed with all relevant new information as its monitoring of the web and Dark Web continued. The incident was presented as a data exposure resulting from a third-party vendor vulnerability within a global cyber-attack, with Halma taking steps to secure data and mitigate potential harm to those affected.