The Target: GlobalLogic, a provider of digital engineering services part of the Hitachi group.
The Take: The data stolen in the breach includes personal information collected by GlobalLogic's human resources and, depending on the affected individual, it includes name, address, phone number, and emergency contact (name and phone number). The attackers also exfiltrated the email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details of impacted employees.
The Vector: In a breach notification letter filed with the office of Maine's Attorney General, the company states that the attackers exploited an Oracle EBS zero-day vulnerability to steal personal information belonging to 10,471 employees.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.