Summary: Enzo Biochem has agreed to pay $4.5 million to three state governments following a ransomware attack that compromised the personal data of nearly 2.5 million individuals. The investigation revealed significant security lapses, including shared login credentials and the absence of multi-factor authentication.
Threat Actor: Unknown | unknown
Victim: Enzo Biochem | Enzo Biochem
Key Point :
- Enzo Biochem’s security weaknesses included shared login credentials among multiple employees and a lack of multi-factor authentication.
- The company has committed to improving its cybersecurity measures, including annual risk assessments and an incident response plan.
- New York will receive the largest portion of the settlement, amounting to $2.8 million, due to the significant number of affected individuals in the state.
Three state governments have announced a $4.5 million payment from Enzo Biochem — a biotech company that suffered a ransomware attack in April 2023 — for failing to protect the diagnostic test information and personal data of nearly 2.5 million people.
The attorneys general of New York, New Jersey and Connecticut announced the agreement on Tuesday with the New York-based company, which had reported the incident to the federal government in late May of 2023.
A subsequent investigation led by New York’s Office of the Attorney General (OAG) found that the unspecified attackers accessed Enzo’s networks using two employee login credentials.
“The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack,” the OAG said. The company also did not use multi-factor authentication for remote access to email, investigators said.
Recorded Future News has reached out to Enzo for a response to the agreement.
No ransomware group has been publicly associated with the attack.
The attorneys general said Enzo has agreed to several measures intended to strengthen its cybersecurity, such as adding multi-factor authentication to all employee accounts and updating other security policies and programs. The company will conduct and document annual risk assessments and develop and implement an incident response plan.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said New York Attorney General Letitia James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft.”
New York state will receive the majority of the payment — $2.8 million. Nearly 1.5 million New Yorkers had their data exposed in the incident.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/enzo-biotech-company-pays-states-over-2023-breach