Morley Companies, a Saginaw, Michigan provider of business services, disclosed it had been hit by ransomware attack on August 1, 2021 that enabled hackers to steal data belonging to current employees, former employees and some clients.
The venerable outfit, founded in 1863, offers business services to Fortune 500 and Global 100 clients; contact centers and back office processing; meetings and incentives management; and exhibits and displays production.
Morley suspects that names, addresses, social security numbers, birth dates, client identification numbers, medical diagnostic and treatment information, and health insurance information were pilfered in the cyber heist.
Cyber Incident Response - MSSPs Involved?
The company said it hired “independent cybersecurity experts,” an apparent reference to managed security service providers and cyber forensic analysts. However, Morley did not disclose which MSSPs or cyber firms it had engaged. In addition, Morley said that once it learned its infrastructure had been compromised it took “steps in response to this incident” to lock down its environment.
Following an investigation, Morley determined that the threat actors stole the personal information of more than 520,000 individuals, including data belonging to Morley's employees, contractors and clients, BleepingComputer reported. At this point, Morley said it has not seen any evidence indicating the misuse of any information potentially involved in this incident. Morley said it has notified those potentially affected by the cyber event and has provided a number of resources to help them, including steps to protect their personal information, notify their financial institutions and other credit protection measures.
Beginning on February 1, 2022, six months after the cyber incident, Morely began notifying individuals impacted by the event, including information about the incident and about the steps that potentially impacted individuals can take to protect their information.
Delayed Cyber Incident Disclosure?
Morley took some heat for what appears to be a lengthy period before potentially affected people were notified of the breach. "Six months. Half a year from the time that the breach was detected until affected parties were notified, and this is the most generous reading of the timeline,” said Chris Clements, a VP at Cerberus Sentinel. "It’s overwhelmingly likely that the attackers had access to Morley data for weeks or even months before they ran their ransomware locking Morley and their customers out of their data. During this timeframe, people exposed to risk of fraud or identity theft may have been actively targeted while being oblivious to their risk,” he said.