Bose has filed a report with New Hampshire officials after personal information of its employees living in the state had been compromised.
Audio equipment company Bose notified New Hampshire Attorney General John Formella that the company was hit by a ransomware attack on March 7.
The company does not say what ransomware strain or group was behind the attack. It simply stated the company “experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across Bose’s environment.”
By April 29, Bose’s forensic analysts managed to access internal administrative HR files with social security numbers, addresses, and salary information of employees, including six New Hampshire residents.
The company doesn’t know if attackers could steal files or information from the system.
Bose is now working with the FBI to see if the stolen information leaked on the dark web but hasn’t found any. The company says it implemented “enhanced malware/ransomware protection” on endpoints and servers and took more protective measures.
The six New Hampshire employees received free identity protection services through IdentityForce for just 12 months.
But cybersecurity experts criticized the company because it took Bose 1,5 months to discover which data was accessed and another 3 weeks to notify the affected individuals, which is plenty of time for attackers.
Bose could have reacted faster and taken more responsibility for the attack and present a clear plan for how they would prevent such attacks in the future. Some companies are overly cautious when reporting attacks on their systems because they don’t want to attract attackers who may try to use the situation for their advantage. In addition, information about a breach can often affect stock prices. Nevertheless, the employees affected by the attack need to be notified as quickly as possible so they are prepared for phishing or other activity.