Canon: Ransomware Attack Exposed Employee DataCompany Finally Acknowledges Earlier Incident Exposed Corporate Information
Canon USA has finally acknowledged that a ransomware attack earlier this year involved the theft of corporate data, including employee information.
See Also: Automating Security Operations
In a Nov. 25 notification statement, the imaging company says it contacted law enforcement officials after the attack and hired a security firm to help in the investigation.
Canon now says the attackers first gained access to the network in July. While the company did not release specific details about the attack, the apparently now-defunct Maze gang claimed credit for the incident at the time and posted a small sample - about 2.5GB - of data on its darknet site as proof of the attack (see: Maze Reportedly Posts Exfiltrated Canon USA Data).
"We determined that there was unauthorized activity on our network between July 20, 2020, and August 6, 2020. During that time, there was unauthorized access to files on our file servers," according to the notification sent out Wednesday.
After concluding the investigation on Nov. 2, Canon found files affected by the ransomware attack contained information on current and former employees who worked for the company from 2005 to 2020, according to the new notification. The data included names, Social Security numbers, driver's license numbers or government-issued identification numbers, financial account numbers provided for direct deposit, electronic signatures and dates of birth.
"As a precaution, we have arranged for them to receive a complimentary membership to Experian's credit monitoring service," the company said of those whose data had been breached.
A Canon spokesperson could not be immediately reached for comment Monday.
Other Canon Cyber Issues
At about the same time as the ransomware attack, Canon reported some technical issues with some of its websites that resulted in users not being able to access pictures and images from its cloud-based service (see: Canon USA Websites Offline Following Cyber Incident).
Canon acknowledged that this incident was caused by technical issues and not related to the ransomware attack.
"When Canon switched over to a new version of the software to control these services on July 30, the code to control the short-term storage operated on both of the short-term storage and the long-term storage functions, causing the loss of some images stored for more than 30 days," the company said. "By August 4, we identified the code causing the incident, and corrected it. We found no unauthorized access to 'image.canon.' The incident caused no leakage of images and those that went missing may be restorable."
Maze was the one of the first ransomware groups to exfiltrate data from victims and threaten to release it if a ransom was not paid. The Canon notification, however, did not note if the company paid a ransom or communicated with the attackers.
Maze was a leader in developing the ransomware-extortion model but, in November, the gang posted a notification on its darknet site stating the group had "retired" - although it's not clear what the cybercriminals' true intentions are (see: Maze Claims to End Its Ransomware and Extortion Operations).
Since Maze's announcement, other ransomware gangs, including Egregor, have looked to fill the void (see: Qbot Banking Trojan Now Deploying Egregor Ransomware).