Cyber Incident Victim: OSIsoft LLC
Date:
Nov 2018
Location:
United States of America
Summary
A cybersecurity breach at OSIsoft LLC compromised all domain accounts, exposing employee, consultant, intern, and contractor credentials including email addresses and passwords. Despite cryptographic protections in Active Directory, attackers stole credentials from 29 computers and 135 accounts, leading the company to assume universal domain account compromise. The incident prompted accelerated multi-factor authentication deployment and warnings against password reuse across external accounts due to elevated credential theft risks. Ongoing investigations with security partners aimed to identify further impacts while additional safeguards were implemented to block unauthorized system access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 16, 2018, OSIsoft LLC disclosed a security breach impacting its employees, consultants, interns, and contractors through a notification submitted to the Californian Office of the Attorney General. The company, renowned for its PI System data management software utilized by over 65% of Fortune 500 industrial companies across 19,000 global sites, confirmed unauthorized credential theft affecting 29 computers and 135 accounts. Forensic analysis by its security service providers led OSIsoft to conclude that *all* OSI domain accounts were compromised, regardless of direct evidence tied to specific systems. This broad compromise necessitated the assumption that every affected individual’s email address, password, and domain login credentials had been exposed. Notably, the breach circumvented cryptographic protections within Active Directory, which ordinarily secures sensitive data. OSIsoft explicitly warned that individuals who reused OSIsoft passwords elsewhere, configured external accounts for password recovery via OSIsoft emails, or exhibited systemic patterns in external account usage faced elevated risks of credential theft across banking, e-commerce, and other online platforms.
In response, OSIsoft accelerated the implementation of multi-factor authentication (MFA) to prevent further unauthorized access to corporate assets. The company mandated password resets for all external accounts that shared credentials with compromised OSI domain accounts, emphasizing the danger of criminals exploiting reused passwords. Ongoing investigations with multiple security firms aimed to identify additional vulnerabilities and attack vectors, with OSIsoft committing to notify affected parties of new findings and remedial actions as the probe continued. Interim security enhancements were deployed to block unauthorized system access and mitigate future breaches. The incident underscored the operational reliance on PI System, which managed sensor data from 1.5 billion devices globally, though no compromise of customer-facing systems or industrial control environments was cited in the notification.