Panasonic Canada has announced the company was a victim of a targeted cybersecurity attack in February 2022. The company took immediate steps to address the attack. While for many weeks Panasonic believed that no data had been stolen from our systems,they recently discovered that at least 2.5 GB of data was stolen from Panasonic Canada systems. There is no evidence of unauthorized access by the threat actor to any Panasonic systems outside of its Canadian operations.
While Panasonic’s investigation continues, below are additional details about the security incident and stolen data.
What happened?
In February 2022, Panasonic Canada experienced issues with some of its servers, resulting in certain system outages. These outages turned out to be a result of a targeted Conti ransomware attack against Panasonic Canada systems, starting with a February 2, 2022 phishing attack.
Investigations to date has not revealed the threat actor accessed or used technology deployed to Panasonic Canada’s customers, including point of sales technology.
Upon receiving threat intelligence and indicators of compromise relating to the suspected intrusion into its environment by the threat actor, with the assistance of several expert consultants, Panasonic Canada mitigated the threat by shutting down several of its potentially affected systems, including several systems that turned out to not have been affected by the attack, and took steps to remedy the intrusion and eliminate the ransomware. The threat actor was shut out of the Panasonic Canada environment by February 17, 2022. Based on available evidence in the immediate aftermath of the attack, Panasonic Canada and its consultants did not identify any reliable evidence of data staging or data theft. Panasonic Canada did not pay a ransom.
What customer and supplier data was involved?
On April 5, 2022, Panasonic detected approximately 2.5 GB of Panasonic Canada data publicly posted on the Conti “shaming” site. The threat actor alleges that this data set is 3% of the data it stole from Panasonic Canada, but there is no evidence that this statement is reliable. Panasonic Canada has identified the device from which the public 2.5GB was very likely stolen. That device contains a wide variety of information, including transactional records with Panasonic Canada customers and suppliers such as invoices, purchase orders, agreements, accounting, processing, billing, credit and payment information, roadmaps, promotion records, feedback, and design/operational records provided in the course of development work for customers. Of particular note, the threat actor had unauthorized access to the banking information provided to Panasonic Canada by certain customers and suppliers. A relatively small number of customers who are individuals may have provided to Panasonic Canada information personal to them.
What can you do next?
Because the threat actor alleges that it stole more data than it has made public to date, Panasonic Canada cautions each of its customers and suppliers to evaluate and address what data it has provided to Panasonic Canada. Panasonic Canada has not been able to exclude any data in its systems as not having been at risk of unauthorized access by the threat actor, neither by data type nor by date. However, Panasonic Canada has concluded that there was no unauthorized access to Panasonic Canada’s ERP or CRM platforms, nor its point-of-sale technology.
Since confirming this attack, Panasonic has worked diligently to restore customer operations and understand the impact and risk to customers, suppliers and other stakeholders. These efforts continue. We are also in contact with law enforcement and the Privacy Commissioner of Canada.
In a written note Panasonic commented “we take this incident very seriously and regret the actions of these malicious attackers and thank you for your patience and understanding.”