Industry News

Canon USA confirms employees past and present affected by the August ransomware attack

This site contains affiliate links to products and services. We may receive a commission for purchases made through these links.

Canon statement about the ransomware attack:

Notice of Data Security Incident

Canon understands the importance of protecting information. We are informing current and former employees who were employed by Canon U.S.A., Inc. and certain subsidiaries, predecessors, and affiliates1 from 2005 to 2020 and those employees’ beneficiaries and dependents of an incident that involved some of their information. This notice explains the incident, measures we have taken, and the steps you can take in response.

We identified a security incident involving ransomware on August 4, 2020. We immediately began to investigate, a cybersecurity firm was engaged, and measures were taken to address the incident and restore operations. We notified law enforcement and worked to support the investigation. We also implemented additional security measures to further enhance the security of our network.

We determined that there was unauthorized activity on our network between July 20, 2020, and August 6, 2020. During that time, there was an unauthorized access to files on our file servers. We completed a careful review of the file servers on November 2, 2020, and determined that there were files that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents. The information in the files included the individuals’ names and one or more of the following data elements: Social Security number, driver’s license number or government-issued identification number, the financial account number provided to Canon for direct deposit, electronic signature, and date of birth.

We wanted to notify our current and former employees and their beneficiaries and dependents of this incident and to assure them that we take it seriously. As a precaution, we have arranged for them to receive a complimentary membership to Experian’s® IdentityWorksSM credit monitoring service. This product helps detect possible misuse of an individual’s information and provides the individual with identity protection services. IdentityWorksSM is completely free to the individual, and enrolling in this program will not hurt the individual’s credit score. If you are a current or former employee, or the beneficiary or dependent of a current or former employee, and would like more information on IdentityWorksSM, including instructions on how to activate your complimentary membership, please call our dedicated call center for this incident at 1-833-960-3574. For information on additional steps you can take in response, please see the additional information provided below.

We regret that this occurred and apologize for any inconvenience. If you have additional questions, please call 1-833-960-3574, Monday through Friday, between 9:00 a.m. and 6:30 p.m., Eastern Time.

1This notice is being provided by or on behalf of Canon U.S.A., Inc. and the following subsidiaries, predecessors, and affiliates: Canon BioMedical, Inc., Canon Business Solutions-Central, Inc., Canon Business Solutions-Mountain West, Inc., Canon Business Solutions-NewCal, Inc., Canon Business Solutions-Tereck, Inc., Canon Business Solutions-West, Inc., Canon Development Americas, Inc., Canon Financial Services, Inc., Canon Information and Imaging Solutions, Inc., Canon Information Technology Systems, Inc., Canon Latin America, Inc., Canon Medical Components U.S.A., Inc., Canon Software America, Inc., Canon Solutions America, Inc., Canon Technology Solutions, Inc., Canon U.S. Life Sciences, Inc., NT-ware USA, Inc., Océ Imaging Supplies, Inc., Océ Imagistics Inc., Océ North America, Inc., Océ Reprographic Technologies Corporation, and Virtual Imaging, Inc.

ADDITIONAL STEPS YOU CAN TAKE

We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:

  • Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft

Joules

doom
CR Pro
Jul 16, 2017
1,540
1,831
Hamburg, Germany
Yikes. Doesn't sound too great. Access to files on the server ... that were stored without any further encryption or protection?

I wonder how much else was scooped. With information about people, they have to make the breach public, but I can't imagine someone with apparently significant access would not have taken a great many other things over the course of more than two weeks.
 

gmon750

EOS 90D
CR Pro
Jan 30, 2015
126
79
It's really sad how sloppy and ill-equipped many company are when it comes to online security. They will put on a confident face in public, but behind the scenes many companies place a low priority on hardening their system to outside attack.

Security is not a one-time implementation. It is constantly changing and evolving. It's whack-a-mole and requires constant monitoring, and all that costs money which many companies choose to ignore, until this stuff happens.
 
  • Like
Reactions: Maximilian

Maximilian

The dark side - I've been there
CR Pro
Nov 7, 2013
3,241
1,509
Germany
It's really sad how sloppy and ill-equipped many company are when it comes to online security. They will put on a confident face in public, but behind the scenes many companies place a low priority on hardening their system to outside attack.

Security is not a one-time implementation. It is constantly changing and evolving. It's whack-a-mole and requires constant monitoring, and all that costs money which many companies choose to ignore, until this stuff happens.
True, but it also depends a lot on the awareness of people/employees, because IT security cannot block and filter out all web bugs and pests.
I have to make 1 or 2 trainings per year about IT and informational security.
As you say, it costs money - but much less money - and reputation (!) - than an incident.
 

hachu21

EOS 90D
Feb 11, 2014
125
36
France
Sometimes I wonder.... when you see the long list of Canon branded companies that have been involved in this incident, the IT system behind must be a huge, complex one. Past a certain amount of complexity, it seems you can't control everything anymore. Sure, It department try to...
All the incident, attack, open breach, bugs or human mistakes, even inside the biggest IT companies seems to"prove" that.
 

Aussie shooter

www.facebook.com/BrettGuyPhotography/
Dec 6, 2016
1,005
1,351
It's really sad how sloppy and ill-equipped many company are when it comes to online security. They will put on a confident face in public, but behind the scenes many companies place a low priority on hardening their system to outside attack.

Security is not a one-time implementation. It is constantly changing and evolving. It's whack-a-mole and requires constant monitoring, and all that costs money which many companies choose to ignore, until this stuff happens.
Perhaps. But on the other hand I think anyone who uploads stuff to the cloud and expects it to remain safe is borderline insane. NOTHING is safe in the digital world. NOTHING. It never will be. Hackers will always be one step ahead because cyber security is reactive as opposed to proactive. If you want your stuff to remain safe then simply do not put it out there. And yes. I get that it is almost impossible in many circumstances in this day and age. But you simply should not assume that anything is safe once it exists in the digital ether.
 
  • Like
Reactions: Maximilian

goldenhusky

EOS RP
CR Pro
Dec 2, 2016
399
199
Yeah, when you have a bunch of clowns leading the company anything can happen. FR Canon could not even get a decent online store that shows accurate stocks. They think that is too much to ask for from "The leader"
 

Joules

doom
CR Pro
Jul 16, 2017
1,540
1,831
Hamburg, Germany
Perhaps. But on the other hand I think anyone who uploads stuff to the cloud and expects it to remain safe is borderline insane. NOTHING is safe in the digital world. NOTHING. It never will be. Hackers will always be one step ahead because cyber security is reactive as opposed to proactive. If you want your stuff to remain safe then simply do not put it out there. And yes. I get that it is almost impossible in many circumstances in this day and age. But you simply should not assume that anything is safe once it exists in the digital ether.
This is internal data about staff and contractors that got accessed though. If a corporation requires such data to be collected and stored long term, and then handles it poorly enough for third parties to access it, that does deserve criticism.
 
  • Like
Reactions: Maximilian

EOS 4 Life

EOS RP
Sep 20, 2020
357
248
Yikes. Doesn't sound too great. Access to files on the server ... that were stored without any further encryption or protection?
Access is access.
If the employees had access then the hackers had access.
You can't secure a file from yourself and still get to it.
(This post will self-destruct.)
 

Joules

doom
CR Pro
Jul 16, 2017
1,540
1,831
Hamburg, Germany
Access is access.
If the employees had access then the hackers had access.
You can't secure a file from yourself and still get to it.
(This post will self-destruct.)
You make it sound like in this instance the data was leaked by an employee? I didn't get that impression from reading the OP.
 

Aussie shooter

www.facebook.com/BrettGuyPhotography/
Dec 6, 2016
1,005
1,351
This is internal data about staff and contractors that got accessed though. If a corporation requires such data to be collected and stored long term, and then handles it poorly enough for third parties to access it, that does deserve criticism.
I agree it deserves to be criticised for losing data but the reality is our data is NOT safe. None of it. Nothing on social media. Nothing held by employers. Nothing held by banks(that one is probabaly the most worrying). Nothing held by the govt. Nothing. No one should ever be surprised when the information is compromised
 
  • Like
Reactions: David_E

Mt Spokane Photography

I post too Much on Here!!
CR Pro
Mar 25, 2011
16,607
1,569
To read this, it sounds like the financial information of employees such as bank accounts was not encrypted. It is generally good practice to encrypt something like that. Hacking happens, but if data is taken, then any financial portion should have encryption. That too can be hacked, but it usually requires a complete blunder on the part of a company to make the keys readily available.
 
  • Like
Reactions: Joules

Joules

doom
CR Pro
Jul 16, 2017
1,540
1,831
Hamburg, Germany
I agree it deserves to be criticised for losing data but the reality is our data is NOT safe. None of it. Nothing on social media. Nothing held by employers. Nothing held by banks(that one is probabaly the most worrying). Nothing held by the govt. Nothing. No one should ever be surprised when the information is compromised
There is a significant difference though between knowing that no matter how many measures you employ, you will never have any guarantees or perfect protection - and not employing sufficient measures to ensure basic security.

Here we have a case where it seems like gaining access to a file system or database was enough to also access highly sensitive data. As if no additional measures like encryption of this data were taken.

As you say: You should know that no single solution will give perfect protection - and so, you don't just rely on a single solution.

Large companies have huge responsibilities for all of their stake holders. When they fail to take them serious, the public reaction should at least not be 'Eh, happens to the best of us', otherwise they have so little incentive (yes, laws...) to do better in the future.
 

EOS 4 Life

EOS RP
Sep 20, 2020
357
248
You make it sound like in this instance the data was leaked by an employee? I didn't get that impression from reading the OP.
A hacker that acquires employee access is indistinguishable from an employee to the system.
 

gmon750

EOS 90D
CR Pro
Jan 30, 2015
126
79
Perhaps. But on the other hand I think anyone who uploads stuff to the cloud and expects it to remain safe is borderline insane. NOTHING is safe in the digital world. NOTHING. It never will be. Hackers will always be one step ahead because cyber security is reactive as opposed to proactive. If you want your stuff to remain safe then simply do not put it out there. And yes. I get that it is almost impossible in many circumstances in this day and age. But you simply should not assume that anything is safe once it exists in the digital ether.
This has nothing to do with cloud storage. It was internal data, stored on Canon's own internal servers. Typical ransomware means that a user's PC was compromised in some way, and their attached network drives were attacked and encrypted.

If anything, if they were using a cloud service like Dropbox, with a couple of clicks, they could have restored their data to a prior point and moved-on. Not all cloud services are sketchy. Sure, nothing is 100%, but I do trust (to a point) the more established players to stay on top of attack vectors. Apple (iCloud) and Dropbox are two I trust.
 

gmon750

EOS 90D
CR Pro
Jan 30, 2015
126
79
True, but it also depends a lot on the awareness of people/employees, because IT security cannot block and filter out all web bugs and pests.
I have to make 1 or 2 trainings per year about IT and informational security.
As you say, it costs money - but much less money - and reputation (!) - than an incident.

Yes... one company a friend of mine worked at got hit by ransomeware. It was a really bad one. Their data was inaccessible for weeks, and refused to make it public for obvious reasons. Live in ignorance I suppose.