Business jet manufacture Bombardier says it has suffered a “limited cybersecurity breach” through Accellion’s FTA file transfer application.
“An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the Feb. 23 statement from the Montreal-based company said.
Asked for clarification by ITWorldCanada.com, Anna Cristofaro, Bombardier’s manager of communications, confirmed Accellion FTA was the vulnerable application.
Forensic analysis revealed that personal and other confidential information relating to employees, customers and suppliers was compromised. “Approximately 130 employees located in Costa Rica were impacted,” the Bombardier statement says. The unauthorized access was limited solely to data stored on the specific servers. Manufacturing and customer support operations have not been impacted or interrupted.
“Bombardier can also confirm the company was not specifically targeted,” the company added. “The vulnerability impacted multiple organizations using the application.”
A recent trail
In recent weeks, a number of organizations including the auditor’s office of the state of Washington and the pharmacy departments of the U.S. Kroger supermarket chain, have confirmed they were victims of stolen data through Accellion FTA. According to an analysis this week by FireEye, a threat group leveraging vulnerabilities in FTA is using the dark web site of the Clop ransomware to post evidence to organizations they’ve been hit.
What prompted ITWorldCanada.com to call Bombardier for comment was that earlier this week, the Clop site posted what it says are a number of corporate documents, including flight test reports and parts schematics.
Asked to comment Cristofaro said Bombardier is still investigating and won’t go further than what it has already said.
UPDATE: Bombardier was briefly off and then back on the Clop ransomware site, with more corporate documents allegedly from the company available. These include an alleged 2017 purchase order from a company for an aircraft intercom system and a 2018 amendment to an agreement between Bombardier and a U.S. firm. As for comment on March 1st, Anna Cristofaro, Bombardier’s manager of communications said she would not comment on “industrial secrets.” Any data compromised is limited to the data stored on certain servers where the file transfer application was installed, she said. “As to ransoms or any other questions relating to the attackers, we do not comment on matters of this nature or otherwise relating to criminal groups.”
Bombardier is a smaller corporation than it was several years ago when it was making trains, snowmobiles and business jets. After having to get out of the commercial aircraft business and selling the railway division, the company is left with manufacturing business jets. Earlier this month, Bombardier said it will stop making the small Learjet line and cut 1,600 jobs. That would bring its total global workforce to about 13,000 people.