Bristol Myers Squibb

Bristol Myers Squibb, a pharmaceutical company headquartered in the United States, experienced a significant cybersecurity incident on May 27, 2023. The event involved the exploitation of a known vulnerability within the MOVEit secure file transfer application, a third-party software tool used for data transmission. This unauthorized access allowed an external actor to exfiltrate confidential company data. The compromised information primarily pertained to employees and included sensitive personal details such as names, Social Security numbers, contact information, dates of birth, and employment-related data. The breach was contained specifically to the file transfer system and did not extend into the firm's core IT infrastructure or primary business operations, according to the company's internal assessment.

In direct response to the discovery of the unauthorized access, Bristol Myers Squibb immediately took the affected MOVEit server offline to halt further data loss. The company initiated a comprehensive internal investigation, engaging third-party cybersecurity experts and coordinating with law enforcement to understand the full scope and origin of the incident. Following this investigation, Bristol Myers Squibb began notifying all individuals whose personal information was confirmed to have been accessed and stolen. As part of its remediation efforts, the organization offered complimentary credit monitoring and identity protection services to the affected parties to mitigate potential risks from the data exposure. The incident underscores the critical risk posed by vulnerabilities in third-party software supply chains to even large, established corporations.