Cyber Incident Victim: Cree Lighting

On or around June 1, 2023, Cree Lighting, a subsidiary of Ideal Industries, was impacted by a widespread global cyberattack. The incident was not an isolated event but part of a broader campaign exploiting a vulnerability in MOVEit, a managed file transfer software developed by Ipswitch, Inc. Malicious hackers affiliated with the Russian cyber gang known as CL0P exploited this vulnerability. The attackers utilized a custom web shell to steal various files and Microsoft Azure Storage Blob information. Cree Lighting's IT security systems subsequently identified the breach, marking the initial point of detection for the company.

Upon discovery, Cree Lighting immediately engaged cybersecurity experts to assist with its response. The company took actions to secure its systems and advised law enforcement of the incident. The investigation determined that some employee data had been compromised. The breach was not unique to Cree Lighting; it was reported that likely thousands of companies and some government agencies worldwide were similarly impacted by the same global MOVEit breach. This placed the Cree Lighting incident within a much larger context of coordinated cyber criminal activity.

The scope of the impact on Cree Lighting was detailed in a disclosure the company filed with the state of North Carolina. It was determined that the personal information of approximately 609 individuals was compromised. Out of this total, 32 were identified as residents of North Carolina. The types of data exposed in the breach included names, addresses, dates of birth, and Social Security numbers of these affected individuals. The compromised data was specifically related to employees.

In response to the data breach, Cree Lighting implemented measures to assist the affected individuals. The company provided notification to those whose information was involved. To help protect these employees from potential identity theft or fraud, Cree Lighting offered 24 months of complimentary credit monitoring services through Experian. This offering was part of the company's effort to mitigate the potential negative consequences for its workforce resulting from the theft of their sensitive personal information.

Concurrently, Cree Lighting began reviewing and enhancing its security posture. As part of its response, the company informed state officials that it was implementing additional security measures intended to prevent similar incidents from occurring in the future. This action represented a direct organizational response to the security shortcomings exploited during the attack, focusing on strengthening defenses against future threats.

The incident at Cree Lighting was part of a significant wave of attacks that affected a vast number of prominent organizations globally. The exploitation of the MOVEit software vulnerability had far-reaching consequences beyond a single company. In the United Kingdom, major entities including the BBC, British Airways, Boots, Aer Lingus, and the payroll service provider Zellis fell victim to the same attack group. Ernst & Young, Transport for London, and the communications regulator Ofcom were also affected.

Within North America, the impact was equally severe. The Government of Nova Scotia in Canada estimated that approximately 100,000 present and past employees were impacted by the breach. In the United States, several government organizations were hit, including the Department of Energy. State-level agencies such as the Louisiana Office of Motor Vehicles and the Oregon Driver and Motor Vehicle Services were also compromised, an event that impacted millions of residents across those states.

The lighting industry itself has faced previous cybersecurity challenges, indicating a sector not immune to such threats. Prior to the Cree Lighting incident, another major industry player, Acuity Brands, experienced two cyberattacks in December 2021. Those breaches potentially exposed the personal information of both current and former employees. A filing with the Maine Attorney General's office indicated that 37,137 people were impacted. The information disclosed in that earlier incident varied per individual and could have included names, Social Security numbers, driver's license numbers, financial account details, and limited health information.

For Cree Lighting, the aftermath of the June 2023 incident involved ongoing vigilance. The company stated it continued to carefully monitor its systems following the initial response and containment actions. The conclusion of the investigation allowed the organization to understand the full extent of the compromise and complete its notifications to affected parties and relevant authorities. The event served as a concrete example of the escalating cybersecurity threats faced by corporations across all sectors, highlighting the vulnerability of critical software supply chains and the efficiency with which cyber criminal groups can exploit a single weakness to attack a multitude of victims simultaneously. The operational disruption and the compromise of sensitive employee data underscored the direct business and human impacts of such security failures.