Bristol Myers Squibb reports MOVEit related breach of employee SSNs
Learn More
Bristol Myers Squibb (BMS), a pharmaceutical company based in New York City, disclosed a significant data breach. The breach was attributed to a vulnerability in their file transfer software, MOVEit, which was exploited by hackers to gain unauthorized access to confidential information provided to BMS.
The data accessed by the hackers include
- employee names,
- Social Security numbers,
- email addresses,
- mailing addresses,
- phone numbers,
- dates of birth,
- genders,
- ethnicities,
- employment status.
The number of affected individuals is not disclosed, but the company employes over 34,000 people which gives us an order of magnitude of the breach.
The breach only involved BMS's MOVEit server, and their core IT systems remained unaffected.
Upon discovering the security breach, Bristol Myers Squibb shut down the MOVEit software, implemented all available patches to address the vulnerability, and initiated a thorough investigation to ascertain the extent of the unauthorized access and data compromise.
The investigation revealed that the unauthorized party had gained access to and downloaded confidential BMS data as early as May 27, 2023, four days before the company was informed of the vulnerability. Subsequently, on June 29, 2023, Bristol Myers Squibb commenced the process of notifying all individuals whose data was affected by the breach. Data breach notification letters were sent out to the affected employees, providing them with detailed information about the type of compromised data pertaining to their profiles.
