[Material-Incidents] No. 2

Categorizing all the incident filings

Hey everyone,

With only one new filing this week, I had some time to spend categorizing all the known incident filings to date and found some interesting data points. Nearly all of the filings have called out some level ‘Unauthorized Access’ across the filings companies infrastructure, network or services. This isn’t really a surprise given the nature of these filings being ‘material’ and attempted hacks/attacks aren’t worth reporting. Unsurprisingly, more than half of the filings reported service disruption to business operations, ranging from days to weeks (United Health is still recovering from an incident which began in February). Data exfiltration was the third most common category with eight incidents, half of which alluded to the loss of personally identifiable information (35M+ records impacted in VF Corp filing). Several filings alluded to a Nation State threat. Detecting and attributing nation state attacks requires a level of sophistication many companies don’t possess. Microsoft, Hewlett Packard and UnitedHealth Group have all claimed nation state involvement in their filings. It will be interesting to see how these attributions play out in the future, especially among smaller companies.

Lastly, these categories are not associated with the official filings but gleaned from their contents. I have not classified attacks like ransomware unless they’re directly mentioned in the filing even if alleged externally.

8-K Filings categorized by Risk/Threat

This Weeks Filings

Radiant Logistics 8-K, March 20, 2024 
The incident filed Wednesday discussed the ‘initial stages’ of a cybersecurity incident related to their Canadian operations. The company took steps to disrupt the unauthorized activity it detected but did not mention what that activity entailed. This activity has caused a service disruption the company is hoping to resolve in the coming week. What’s interesting is Radiant has had similar filings in the past few years, ransomware disclosure from 2021 that lead to a multi-state consumer breach notification the following year. What’s not clear from the most recent filing is the extent of the incident or if an addendum will be required in the future.

Thanks for reading,
Matt