On 16 November, the company reported that it was experiencing a security incident that potentially affected everyone from employees and interns to consultants and contractors. Attackers reportedly stole credentials and used them to access the OSIsoft computers, which resulted in alerts of unauthorized activity from the intrusion detection systems.
“Our security service provider has recovered direct evidence of credential theft activity involving 29 computers and 135 accounts. We have concluded, however, that all OSI domain accounts are affected,” the data breach notification warned.
Additionally, the company advised, “You should assume your OSI domain logon account name, as well as email address and password have been compromised.”
The incident remains under investigation with the company’s security service providers, and OSIsoft reported that it “has developed a comprehensive remediation strategy that includes a contingency plan, in case there is an escalation of unauthorized activity as the investigation continues.”
The company also advised that users reset external accounts to use different passwords.
“While most organizations factor vendors, suppliers and contractors into their third-party risk management programs, the reality is that our digital ecosystems are a lot bigger than that. Any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data,” said Fred Kneip, CEO, CyberGRX.
“In this case, OSIsoft’s security controls weren’t able to stop a case of credential theft, affecting a confirmed 135 accounts and possibly more. With over 65% of Fortune 500 industrial companies using their product, OSIsoft is a major gateway to valuable data and they should be seen as such. Large companies like these often interact with tens of thousands of third parties, and it’s critical for them to gain a better understanding of which of those third parties pose the biggest risk to their data.”