Cyber Incident Victim: Honeywell International Inc.

On or around May 27, 2023, Honeywell International Inc. experienced a data breach stemming from a vulnerability in Progress MOVEit Transfer, a third-party web transfer application utilized by the company. The breach was an external system breach, categorized as hacking. Honeywell became aware of the vulnerability in the MOVEit software and immediately launched an investigation. This investigation, which commenced upon learning of the vulnerability, detected that an unauthorized third party had gained access to a single MOVEit server used by Honeywell. The company’s cybersecurity defenses were activated and are credited with limiting the overall impact to this one server. The investigation revealed that data had been accessed through the MOVEit application by the unauthorized actor. This data included certain personally identifiable information, specifically names in combination with Social Security Numbers.

The breach was officially discovered by Honeywell on August 28, 2023. Following the discovery, the company took containment actions by fully patching and upgrading the Progress MOVEit application. This remediation step was executed as soon as the necessary patches were made available from the software provider, Progress. Service was restored only after these patches and upgrades were completely applied. The company confirmed that all of its systems remained fully online throughout the incident and that the breach had no impact on company operations. Honeywell also stated it was in contact with certain law enforcement and regulatory authorities regarding the unauthorized access.

The total number of persons affected by this incident was 118,379, which included 301 residents of the state of Maine. Because the number of Maine residents exceeded 1,000, Honeywell fulfilled its obligation to notify the consumer reporting agencies. The company determined the method of consumer notification would be written notice. The dates for this consumer notification were set for September 14, 2023. As part of its response, Honeywell offered identity theft protection services to the affected individuals. The offered service consisted of two years of credit monitoring and identity repair services provided through Experian.

In its public statements, Honeywell reported that it did not expect the unauthorized access to the MOVEit server to have a material impact on its business operations. The company also addressed a secondary aspect of the incident, noting an awareness that certain Honeywell suppliers had also been impacted by the same Progress MOVEit vulnerability. Honeywell stated that its own data might have been impacted as a result of these supplier breaches. The company committed to assessing and responding to any such impacts as part of its ongoing investigation, particularly as it received formal notification from suppliers that Honeywell data had been compromised. The investigation into the full scope of the incident was described as ongoing.

Honeywell is a multinational corporation with its headquarters located at 855 South Mint Street in Charlotte, North Carolina, 28202. The company operates primary business sectors in aircraft, building technologies, performance materials and technologies, and safety and productivity solutions. It employed approximately 97,000 workers worldwide in 2022. The breach notification for the State of Maine was submitted by William Ridgway, a partner at the law firm Skadden, Arps, Slate, Meagher & Flom LLP, who acted as outside counsel for Honeywell International Inc. The firm confirmed that Honeywell had not issued any previous breach notifications within the twelve months preceding this incident.