Author: Paul Roberts / Source: Digital Guardian
FedEx’s disclosure of a material impact from NotPetya last week highlighted the awkward two-step that companies play around malware outbreaks and data breaches.
Does being infected with ransomware, wipers and other forms of malware mean that your company has suffered a data breach? Most security experts would say “yes,” but a disclosure by the parcel shipping giant Federal Express (FedEx) last week highlights the awkward two-step that most breached firms continue to dance on the matter.
FedEx became the latest U.S. firm to tell regulators that the NotPetya/XPetya wiper malware, which spread worldwide in late June, will have a material impact on the company’s financial performance. In a filing with the U.S. Securities and Exchange Commission dated July 5th, the company said that the NotPetya infection at its TNT Express subsidiary in June 2017 “significantly affected” the company’s worldwide operations. FedEx said that it is “not yet able to determine the full extent of its impact, including the impact on our results of operations and financial condition.” However, the likely financial impact will be material to the company.
According to the filing, TNT used the MEDoc financial software. A compromised update for that software was used to initially seed the NotPetya malware, which also spread using the Eternal Blue exploit for a known vulnerability in the Windows operating system.
But, on the question of whether the NotPetya outbreak constituted a “data breach,” the FedEx disclosure, which was included in the company’s annual 10-K filing, sends two, somewhat contradictory messages. On the one hand, FedEx said that – despite the ravages of NotPetya on its TNT subsidiary – “no data breach or data loss to third parties is known to have occurred as of the date of this filing.” And, indeed, numerous technical analyses and breakdowns of NotPetya suggest that its purpose is to destroy data, not leak it or hold it hostage. So was it a breach? (We’ll come back to this.)
Stepping back from the specific case…
Click here to read more