Cyber Incident Victim: DESMI A/S

On or around July 25, 2023, DESMI A/S discovered a security incident involving a third-party software program known as MOVEit, which the company utilized for the secure transfer of files to its external partners. This discovery initiated an immediate response from the organization, which took steps to secure the affected system and launched an investigation into the nature and scope of the breach. The initial assessment indicated that unauthorized access had been obtained to a certain limited set of DESMI data that was related to a few external partners. The company prioritized direct communication with these relevant external partners to inform them of the incident and its potential impact on their shared information. The MOVEit platform was characterized as a standalone system that was not integrated into the core IT infrastructure of DESMI, a critical detail that helped shape the initial understanding of the event's containment.

The company publicly disclosed the incident on its website, providing a timeline of its response and findings. The initial announcement, dated July 25, 2023, was followed by updates as the forensic investigation progressed. DESMI emphasized from the outset that it had strong indications the criminals behind the attack had not been able to escalate their access beyond the MOVEit environment to other DESMI IT services. To substantiate these initial findings with verified evidence, DESMI engaged a leading Danish IT security company to conduct an independent and thorough post-incident forensic investigation. This external validation was a key part of their response strategy, with an expectation that a conclusive report would be ready by the early part of the following week, commencing July 31, 2023.

By July 28, 2023, the forensic investigation was still ongoing, but the first results supported the company's preliminary indication that the security incident was indeed limited to the MOVEit application. These initial findings suggested that no other DESMI IT systems or data repositories had been affected by the breach. The investigation was projected to be completed by Tuesday, August 1, 2023, at which point a subsequent update was planned. This interim communication was crucial for maintaining transparency with partners and stakeholders, providing them with confidence that the situation was being managed diligently and with expert oversight.

The final update on the incident was published on August 1, 2023, confirming the completion of the post-incident forensic investigation. The findings conclusively stated that the incident was limited to the MOVEit data transfer solution and that no other IT services within the DESMI ecosystem had been compromised by the attack. This final assessment provided closure to the incident, confirming that the initial containment measures and the isolation of the MOVEit system as a standalone platform had effectively prevented any lateral movement by the threat actors. With the investigation complete, DESMI announced that no further updates would be provided regarding this specific security incident, directing any additional inquiries to a dedicated email contact.

The nature of the incident was a compromise of a third-party file transfer tool, a type of attack vector that often targets widely used software to gain access to the data of multiple organizations. In this case, the unauthorized parties exploited a vulnerability or weakness within the MOVEit software itself to gain access to files that DESMI was transferring. The data obtained was described as limited and pertaining only to a few external partners, suggesting that the exposure was not a comprehensive extraction of all data within the system but rather a targeted or limited access event. The company's response focused on securing the specific platform, investigating the extent of the data access, and communicating directly with the affected partners.

The strategic response involved immediate action to secure the compromised system, preventing any further unauthorized access. This was followed by a forensic investigation to determine the precise scope of the data that was accessed and to verify that no other systems were impacted. The engagement of an external IT security firm added a layer of independent verification to the process, ensuring that the findings were robust and credible. The communication strategy was clear and chronological, providing updates at critical junctures in the investigation process to keep stakeholders informed without causing unnecessary alarm.

The incident highlights the cybersecurity challenges associated with relying on third-party software for critical business functions such as secure file transfer. While DESMI's core infrastructure remained untouched, the compromise of a peripheral but important system still led to a data breach. The company's handling of the situation demonstrated a methodical approach to incident response, beginning with discovery and initial containment, moving through a detailed forensic analysis with external support, and concluding with a final report that provided definitive answers. The entire process from discovery to final conclusion was completed within a compact timeframe of approximately one week, indicating an efficient and focused investigation.

DESMI's public communications were factual and avoided speculation, sticking to the known details of the investigation as they unfolded. The language used was measured and assured, reflecting a company that had control over the situation from the moment it was detected. The updates served not only to inform but also to reassure partners and customers that the company was taking the incident seriously and deploying appropriate resources to address it. The final communication effectively drew a line under the event, stating clearly that the incident had been resolved and that the impact was confined to a single, non-core system.

The closure of the investigation on August 1, 2023, marked the end of the active response phase. The company’s directive that no further updates would be issued indicated a high degree of confidence in the completed forensic work. The provided contact email, [email protected], served as a point of contact for any lingering questions or concerns, demonstrating a commitment to addressing stakeholder inquiries even after the public announcement cycle had concluded. The incident, while unfortunate, was managed in a way that minimized disruption and provided clear, evidence-based conclusions about its impact on the company and its partners.