The North American arm of a Portuguese energy giant has confirmed that it was also affected by a data-stealing ransomware attack on the firm earlier this year.
The filing with Vermont’s Attorney General’s Office (AGO) last week doesn’t add a great deal of information, but does hint at less-than-thorough incident response processes. It took nearly a month before the North America business was identified as affected.
“On April 13 2020, EDPR NA’s parent corporation experienced a ransomware attack on its information systems. The parent corporation immediately began investigating with the assistance of leading computer forensic experts,” it explained in a letter to customers.
“On May 8 2020, EDPR NA learned, for the first time, that the attackers had gained unauthorized access to at least some information stored on the company’s own information systems. Since then, EDPR NA has worked diligently and on an expedited basis to identify the individuals potentially affected by this incident.”
According to EDPR NA there is “no evidence” that any of its customers’ personal information has been accessed, although it admitted it does store names, Social Security numbers and other personally identifiable information (PII).
According to researchers, EDP was hit by the Ragnar Locker variant back in April, with cyber-criminals demanding €10m ($11m) in ransom or else they would start releasing a trove of data stolen from the firm.
However, in EDP’s statement at the time it said it was unaware of any such ransom demand.
Researchers explained on social media that the attackers likely had access to the firm’s systems for some time before the attack went public – at least 10 days.
EDP employs over 11,000 staff globally and made over €3.3bn in gross operating income in 2018.