Cyber Incident Victim: Bristol Myers Squibb
Date:
May 2023
Location:
United States of America
Summary
Bristol Myers Squibb suffered a data breach after hackers exploited a vulnerability in the MOVEit file transfer software. The unauthorized access led to the exfiltration of sensitive employee information, which included names, Social Security numbers, contact details, dates of birth, and employment-related data. The company took its MOVEit server offline to address the issue and notified affected individuals following an internal investigation. The incident was contained to the file transfer system and did not impact the firm's core IT infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 31, 2023, Bristol Myers Squibb was informed that MOVEit, a file transfer program utilized by the company, contained a vulnerability that allowed unauthorized parties to access confidential information stored on the BMS MOVEit server. This notification came amidst widespread disclosures concerning a critical zero-day vulnerability in the MOVEit Transfer software, which was being actively exploited by a cybercriminal group. In immediate response to this information, Bristol Myers Squibb took the MOVEit software offline to isolate it from the network and prevent any further unauthorized access. The company then installed all available security patches provided by the software vendor to eliminate the specific vulnerability that had been exploited.
Bristol Myers Squibb promptly launched a comprehensive internal investigation to determine the nature and scope of any potential data compromise. The purpose of this investigation was to ascertain whether any confidential information had been accessed or exfiltrated as a result of the vulnerability. The investigation confirmed on June 1, 2023, that an unauthorized party had indeed accessed and downloaded confidential BMS data from the MOVEit server. The forensic analysis determined that this unauthorized access had occurred as early as May 27, 2023, several days before the company was formally notified of the software vulnerability. This indicated that threat actors had exploited the window between the vulnerability's active exploitation and the public disclosure and patching efforts.
Following the confirmation of a data security incident, Bristol Myers Squibb conducted a detailed review of the files that were present on the compromised MOVEit server. This review was necessary to identify precisely which individuals were affected and what specific types of personal information were involved. The company determined that the incident resulted in the exposure of sensitive employee information. The compromised data varied from individual to individual but included a combination of the following data elements: full names, Social Security numbers, email addresses, mailing addresses, phone numbers, dates of birth, genders, ethnicities, and employment statuses. The breach was contained exclusively to the MOVEit server, and an analysis confirmed that none of Bristol Myers Squibb's core internal IT systems were affected or accessed during this incident.
On June 29, 2023, Bristol Myers Squibb filed an official notice of data breach with the Attorney General of Montana, as required by state law. This filing served as a public acknowledgment of the incident and its impact on employee data. Concurrently, the company began the process of sending out individualized data breach notification letters by mail to all persons whose information was affected by the recent data security incident. These letters were intended to inform each recipient about the breach and were designed to provide them with a specific list of the personal data that was compromised in relation to them. The notification process was a direct consequence of the company's investigation and its obligation to inform individuals of the potential risk to their personal information.
Bristol Myers Squibb is a global pharmaceutical company headquartered in New York City. The company employs more than 34,000 people and generates approximately $46 billion in annual revenue. It manufactures prescription pharmaceuticals and biologics for a wide range of serious conditions, including cancer, HIV/AIDS, cardiovascular disease, diabetes, hepatitis, rheumatoid arthritis, and psychiatric disorders. The incident involved a third-party file transfer solution and did not impact any systems related to drug discovery, development, or manufacturing processes. The primary impact of the breach was the potential exposure of current and former employee personal identifiable information, placing them at a heightened risk of fraud and identity theft. The company's response focused on securing the affected system, investigating the extent of the data leak, and fulfilling its regulatory and legal obligations to notify the affected individuals.