Cybercriminals that hit Henry Schein not only may have accessed the personal data of about 29,000 people, but the ransomware gang infiltrated the company’s network for more than two weeks before it was discovered, according to a data breach notification.
The cyberstrike occurred on September 27, but Henry Schein did not discover it until October 14, according to a notification from the Office of the Maine Attorney General. A day later, the dental distributor notified the public of the cybersecurity incident and that it was taking most of its systems offline.
Furthermore, the ransomware gang BlackCat may have stolen data, including names or other personal identifiers in combination with financial account numbers, credit/debit card numbers, as well as security codes and passwords, from 29,112 people. Of those potential victims, 38 are residents of Maine, according to the notification.
Though Henry Schein’s systems are up and running, the company has been entangled in this cybersecurity mess for months.
The ransomware-as-a-service organization BlackCat has claimed responsibility for attacking Schein in the fall and again on November 22, only a little more than a week after its business operation and e-commerce sites were restored from the first incident that kept the company mostly on pause for about a month.
In the first attack, BlackCat claimed it looted 35TB -- 1TB is equivalent to about 200,000 five-minute songs -- of sensitive data, which included payroll and shareholder information, and threatened to start dumping the stolen data.
After what appeared to be tense negotiations, Henry Schein announced on November 13 that its e-commerce platforms and distribution businesses were fully operational. At that time, Schein informed customers and suppliers in the U.S. that the cyberstrike may have exposed their sensitive data, including bank account and credit card numbers, to third parties and encouraged both groups to be vigilant about changing passwords and to monitor their accounts for suspicious activity.
In the more recent attack, the company reported that the hack left its applications and e-commerce platforms unavailable. On November 27, Henry Schein announced that its e-commerce site in the U.S. had been restored following six days of unavailability.
BlackCat, also known as ALPHV, is a notorious gang that has reportedly victimized more than 100 organizations and has sought ransoms as high as $1.5 million, according to the U.S. Health and Human Services Office of Information Security.
But the ransomware gang may have finally got its comeuppance. Rumors have been swirling online that law enforcement may have caught up with the cyberthieves after the gang’s infamous site was recently taken down.
In addition to causing a network nightmare for the company, Henry Schein announced that the cyberattack was expected to hurt its sales for 2023. The company’s full-year 2023 sales are expected to be approximately 1% to 3% lower than its total sales in 2022.