Cyber Incident Victim: Garrett Motion

On or around May 28, 2023, a cybersecurity incident impacting Garrett Motion, Inc. began, stemming from a vulnerability discovered in third-party software. Progress Software Corporation, a vendor to Garrett Motion, disclosed a previously unknown vulnerability in its MOVEit file transfer software on May 31, 2023. This software is utilized by thousands of organizations globally for secure data file transfers and became the subject of a widespread cybersecurity event impacting numerous organizations and governmental agencies. Garrett Motion used the MOVEit application for certain secure file transfers supporting its business operations. The vulnerability itself could enable malicious actors to gain unauthorized access to sensitive files and information stored within the MOVEit system.

Upon being notified by the vendor of the vulnerability and receiving a corresponding security patch, Garrett Motion implemented the patch immediately. The company's initial response was to apply the remediation provided by the software supplier to secure its instance of the MOVEit application. For nearly two months following this action, the company operated without an indication that its data had been accessed prior to the patch being applied. This changed on July 28, 2023, when Garrett Motion became aware that an unauthorized party had indeed gained access to certain company data as a direct result of the vulnerability in the vendor's software and prior to the patch being made available and deployed. The accessed data included certain information belonging to the company itself, as well as certain data related to its employees and its customers.

Following this discovery on July 28, Garrett Motion immediately launched a formal investigation into the incident. This investigation was conducted in partnership with external, third-party cybersecurity experts to ensure a comprehensive examination of the event. In accordance with standard protocol for such incidents, the company also notified law enforcement authorities of the unauthorized access. An important operational note was that throughout this entire period, there was no interruption to any of the company’s internal systems, its services, or its overall business operations. The company’s infrastructure remained functional and online.

The core of the company's investigative efforts focused on determining the scope and scale of the data that may have been affected during the period of unauthorized access. This involved forensic analysis to understand precisely what information was stored on the MOVEit server and what files were potentially exfiltrated or viewed by the threat actor. The company also began the process of complying with its legal obligations regarding the incident. This included making appropriate and legally required notifications to affected employees and customers whose data was involved, in adherence with relevant data breach notification laws.

Based on the findings of its investigations conducted to date, Garrett Motion currently believes that this vendor incident will have no material adverse effect on its business, operations, or financial results. The company continues to work diligently to fully investigate the incident and its complete impact on the organization, its business, operations, and financial results. The assessment of the specific data that may have been affected is an ongoing process. The company's public statements have characterized the event strictly as a result of the widespread vulnerability in the vendor's software product, noting it as part of a globally reported cybersecurity event.