Mondelez Employee Data Compromised in Law Firm Cyberattack
Mondelēz International is notifying more than 50,000 current and former employees that their personal data were compromised when a hacking group stole data from a law firm, Bryan Cave Leighton Paisner LLP. The intrusion was detected in late February 2023; the law firm notified Mondelēz of the incident in late March. In late May, “based upon additional information received from Bryan Cave, Mondelēz determined that it finally had enough information to determine who was impacted and that affected individuals should be notified.”
Another reminder of how complex supply chains are – law firms, outsourced employee benefit services, etc. are part of the attack surface in your “supply” chain that can lead to data exposure.
This and the HWL Ebsworth attack [second story in Rest of the News] remind me of the ‘quote by the bank robber Willie Sutton: “I rob banks because that’s where the money is.” In this case, law firms are ‘cyber robbed’ because that’s where the data is. Specific to this cyber breach a couple reminders: 1) data owners have a responsibility to understand how the law firm protects the information entrusted to them; and, 2) details of the attack and victim notification should be shared more quickly, and not wait for all the information to be stitched together.
Mondelēz owns multiple brands including Sour Patch Kids, Chips Ahoy, Triscuit, Wheat Thins, Oreo and Ritz, and was not directly penetrated. This is a case of the third-party service provider being compromised. Bryan Cave was compromised in February and started notifying impacted clients in March; it wasn't until May 22 that Mondelēz had enough information to understand who was impacted and start their notification process. Consider your third-party notifications, not only that they have a timeliness requirement, but consider the impacts of having sufficient information to begin your own analysis and response. Maybe sit down with those who are processing/storing sensitive information for you and see what can be optimized.
Read more in
The Register: Oreo cookie maker says crooks gobbled up staff info
Reg Media: Notice of Data Breach (PDF)