Updated 06.50, 25 June 2019 with further comment from Eurofins Scientific
A “highly sophisticated” ransomware attack on Luxembourg-based Eurofins Scientific –which provides forensic and scientific services to a range of UK law enforcement agencies – put sensitive data at risk, in a breach that has brought in global agencies including the UK’s National Cyber Security Centre (NCSC).
The attack on Eurofins Scientific during the weekend of June 1, 2019, involved a “a new malware variant which was initially non-detectable by the anti-malware screen of our leading global IT security services provider at the time of the attack” the company said in a June 10 statement; since updated to reflect recovery efforts.
Eurofins Scientific employs over 45,000 staff in more than 800 laboratories across 47 countries. It conducts over 150 million tests using a portfolio of 200,000-plus analytical methods for private and public sector customers annually.
In a June 10 statement, Eurofins Scientific said: “The facts pattern of this attack as well as information from law enforcement and independent cybersecurity experts lead us to believe that this attack has been carried out by highly sophisticated well-resourced perpetrators” – suggesting the attack was more than a simple malware incident.
Cybersecurity professionals note that ransomware attacks – like DDoS attacks – can be used to mask more sophisticated breaches, distract defensive teams/thwart further investigation and delete potential forensic breadcrumbs.
The UK’s Information Commissioner’s Office on Friday June 21 said it had “received a report that Eurofins Scientific, which provides forensic and scientific services to a number of UK law enforcement agencies, has been subject to a data breach”.
Today Eurofins Scientific confirmed anew, however, that its investigators had found “no evidence of any unauthorised theft or transfer of confidential client data”.
The ICO told Computer Business Review that under information law a “data breach” report is required if data is made “inaccessible” (e.g. as a result of being encrypted by ransomware) without that having to explicitly involve any data exfiltration.
Eurofins Scientific: Some Companies Still Affected
The company said that as of Monday June 17, the “vast majority” of affected laboratories’ operations had been restored, but some systems were still down.
“Restoration operations are continuing for some less important back office and software development systems as well as in a few companies (representing less than 2 percent of the Group’s revenues) some specific procedures required before restart of certain activities that are anticipated to be completed by end of next week.”
NCSC Involved: Was it Ryuk?
The UK’s NCSC said: “We are supporting Eurofins Scientific and working closely with law enforcement colleagues to understand the full extent and impact of this incident. Experts are working closely with both Eurofins and the certified Cyber Incident Response (CIR) company employed by them, to support containment and remediation.”
The centre added: “Ransomware is a growing cyber security risk and the NCSC has published guidance on how to prevent a ransomware incident, and what to do if your organisation is infected.”
Neither the NCSC, nor Eurofins explicitly named the malware strain used in the attack.
An NCSC advisory published the same day as its notice on the Eurofins incident emphasises the risk from Ryuk ransomware however, adding: “Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack.”
Financial Impact is “Material”
Eurofins Scientific, which reported group wide revenues of €3.5 billion in 2018, told investors: “The impact of this attack on our financial results may unfortunately be material.”
The company added: “Eurofins profoundly apologises to the customers of those of its laboratories and sites that have been impacted by the consequences of this sophisticated attack. As much as possible, the companies concerned have been and will be in communication with customers affected by delays or capacity bottlenecks and are sharing further information as needed and available.”
In a further statement sent to Computer Business Review, a company spokesman added: “The ransomware attack caused disruption to our IT systems. We decided to take many systems offline to contain the incident and then restore on a managed basis once secure. The non-availability of IT systems containing personal data through this period is a matter which data protection authorities expect to be told about as a ‘personal data breach’ under the EU General Data Protection Regulation (GDPR), even if systems are only offline on a temporary basis. We notified authorities of the incident on this basis.”
“From a legal perspective, the duty to notify a ‘personal data breach’ covers a wide range of incidents, including those where availability has been impacted (as here), as well as the better known breaches involving unauthorised access, loss or destruction of data records. The investigations conducted so far by our internal and external IT forensics experts have not found evidence of any unauthorised theft or transfer of confidential client data. We have fully explained this to the authorities.”