Plane-maker Bombardier discloses breach after stolen data surfaces

Written by

Hackers have exposed data about employees, customers and suppliers of Bombardier, a Canadian plane manufacturer, in what appears to be the latest ripple effect from a larger security incident humming through the private sector in North America. 

A forensic analysis revealed that “confidential” information originating at Bombardier was stolen in a recent incident, the company said Tuesday. The Montreal-based Bombardier, which reported $16 billion in revenue in 2018, did not specify exactly what happened or when, though it did say the breach was the result of a “vulnerability affecting a third-party file-transfer application.”

“The ongoing investigation indicates that the unauthorized access was limited solely to data stored on the specific servers,” the company said. “Manufacturing and customer support operations have not been impacted or interrupted.”

The Bombardier news appears to be a reference to Accellion, an IT services provider victimized last year in an incident that is continuing to have consequences for the company’s clients. A hacking group identified only as UNC2546 leveraged software flaws in an Accellion product to gather data about partners including the grocery chain Kroger, the global law firm Jones Day, the University of Colorado and a telecommunications firm in Singapore, among others. 

In many cases, the thieves have tried to extort the victim organizations by posting some of the stolen data on a publicly accessible website, then threatening to publish more in the event that a firm did not pay the attackers to keep quiet. Some intellectual property belonging to Bombardier appears to be available on the website in question, multiple media outlets have reported. 

The list of victims is only poised to grow. Of the roughly 300 corporate firms that rely on the Accellion tool in question, known as a secure file transfer application, fewer than 100 companies were attacked and roughly 25 have been affected by a significant theft of data, Accellion said Tuesday.