Cyber Incident Victim: Grupo Fleury
Date:
May 2023
Location:
Brazil
Summary
Grupo Fleury suffered a cyber attack that impacted its information technology environment. The company activated its security protocols and engaged specialized firms to minimize operational impacts. It worked to gradually normalize operations in a controlled manner, prioritizing the restoration of hospital system integrations. While some units resumed serving customers with re-established systems, the company continued its investigation to assess the full extent of the incident and restore its full technological functionality.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 7, 2023, at 7:09 p.m., Fleury S.A. confirmed the occurrence of a cyber-attack within its information technology environment. The company, a publicly-held entity in Brazil, issued a Material Fact notice to its shareholders and the market in compliance with Brazilian securities regulations. This official communication served as the primary public acknowledgment of the security incident. The initial moment of the attack was marked by system unavailability, indicating that the disruptive effects on operational technology were among the first detectable indicators of the compromise.
In immediate response to the detected unavailability, the company activated its pre-established security and control protocols. The primary objective of this initial response was to minimize the potential impacts on its ongoing business operations. To support its internal teams, Fleury engaged specialized and reference companies in the cybersecurity area, bringing external expertise to bear on the incident. The response strategy involved a controlled and gradual process of normalizing operations, which was undertaken with caution to ensure stability and security. This process included the execution of proper security tests on systems before they were brought back online to prevent further issues or re-infection.
A key priority in the restoration effort was the automatic integration of systems within hospital environments. The company identified these clinical and hospital systems as critical infrastructure, and their gradual and secure reactivation was treated with heightened importance. The Units, referring to Fleury's medical facilities and laboratories, continued to serve customers throughout the incident with systems that had already been re-established, indicating a phased recovery where some locations or systems were restored ahead of others. This approach allowed the company to maintain a level of service while the broader recovery effort continued.
Concurrently with the restoration activities, the company launched an investigation into the circumstances of the attack. This investigative work aimed to assess the full scope of the incident and determine the extent of the compromise. The company worked diligently to take all necessary measures to limit the damage caused by the attack. A central goal of the response was to fully restore the operation of the technology environment, returning it to its pre-incident state of functionality and security.
In its communication, Fleury S.A. provided context regarding its security posture prior to the incident. The company stated it maintains frequent updates and adopts available technologies to preserve an adequate level of protection for its technological environment. Furthermore, it highlighted having invested substantially in its technology structure over the preceding three years, with stated goals of preventing and protecting information security. The company assessed that these prior investments were essential in minimizing the effects of the attack on its operations, suggesting that existing defensive measures helped contain the blast radius and impact of the breach.
The company committed to keeping its shareholders and the market informed of any related facts that should be disclosed, as per its regulatory obligations. The Material Fact was signed by José Antonio de Almeida Filippo, the Chief Financial and Investor Relations Officer of Fleury S.A., underscoring the formal and material nature of the announcement. The incident represented a significant operational disruption that necessitated a formal disclosure to the financial market, confirming it met the threshold of a material event that could influence an investor’s decision.
The impact of the cyber-attack manifested primarily as widespread system unavailability, which disrupted the normal technological functions of the company. The specific nature of the attack, such as whether it involved ransomware, data exfiltration, or another specific threat vector, was not detailed in the public disclosure. The company's operations were affected, but the immediate focus on restoring hospital system integrations indicates that patient care and clinical services were a paramount concern during the response effort. The gradual normalization of operations implies that the full restoration of all IT systems was a process that extended beyond the initial confirmation date, requiring a methodical and security-conscious approach to ensure a complete recovery. The long-term consequences, including any potential data compromise or financial impact, were still under investigation and assessment at the time of the announcement.