Enzo Biochem Fined $4.5M for Poor Security Following Ransomware Attack

Enzo Biochem, a biotech company, has been ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.  

‍

Key failings included poor password management, lack of multi-factor authentication (MFA), and the failure to encrypt sensitive data on all systems. The attackers gained access using shared credentials, one of which hadn't been updated in a decade.  

‍

The investigation also found that Enzo relied on manual network monitoring, allowing the intrusion to go undetected for days, the Register reports.

‍

Following the attack, Enzo has implemented extensive security improvements, including adopting a Zero Trust approach, enhancing encryption practices, and enforcing MFA.  

‍

Despite these measures, the incident highlights the ongoing vulnerabilities in healthcare cybersecurity, with other companies also targeted by cybercriminals in the same period.  

‍

The attorneys general emphasized the importance of robust data security in protecting patient information.

‍

Takeaway: The surge in lawsuits against organizations affected by ransomware attacks involving data exfiltration has intensified dramatically over the past two years.  

‍

This rising wave of legal actions is placing unprecedented pressure on C-suite executives and Boards of Directors, with third-party service providers increasingly being named as defendants.

‍

A recent example includes a lawsuit filed by Mastagni Holstedt against managed service provider LanTech LLC and data backup provider Acronis, seeking over $1 million in damages for allegedly failing to protect the firm from a significant ransomware attack.  

‍

Similarly, the law firm Cooper Elliott filed a class-action lawsuit against the City of Columbus after a ransomware attack compromising the personal information of city employees.

‍

Organizations must be acutely aware of the diverse risks posed by ransomware attacks, which now extend far beyond immediate financial and operational disruptions to include serious threats to sensitive data and intellectual property.  

‍

The evolving tactics of ransomware operators—who increasingly resort to publishing or selling stolen data if ransoms are not paid—introduce additional risks such as regulatory fines, lawsuits, and lasting damage to a company’s reputation and customer trust.

‍

Ransomware attacks have evolved from merely deploying malicious code to making data exfiltration a core strategy. In some cases, attackers forego encryption altogether, focusing solely on stealing information for extortion purposes.  

‍

This shift has elevated ransomware to a significant legal and regulatory concern. Depending on the industry and jurisdiction, data protection laws may mandate the swift reporting of breaches, with severe penalties for non-compliance.

‍

While existing regulations aim to protect sensitive personal information, often these regulations can compound the challenges faced by targeted organizations and the company’s working to protect them, essentially revictimizing the victims.

‍

The aftermath of severe security incidents no longer concludes with mitigating the immediate threat; it now encompasses potential class action lawsuits, regulatory actions, criminal prosecutions, and even personal liability for executives, particularly when sensitive or regulated data is compromised.

‍

Noteworthy cases, such as the legal actions against Uber’s former Chief Information Security Officer and the regulatory scrutiny involving SolarWinds and their CISO, underscore the rising liability for those responsible for security decisions.  

‍

This trend underscores the reality that while government guidelines and frameworks exist to help organizations prevent ransomware attacks, the regulatory response post-attack often imposes additional burdens on already-victimized organizations.

‍

It’s the equivalent to penalizing a captain and crew because pirates seized their cargo ship, even though it’s the state who is supposed to be fighting off the pirates and protecting the merchant fleet.  

‍

Cybersecurity experts acknowledge that a determined attacker with sufficient resources can breach any target. This reality implies that organizations handling sensitive data are at risk of regulatory and potentially criminal consequences when they fall victim to attacks.  

‍

It’s understandable why such rules were devised back when we were dealing with unauthorized access events where the actual financial harm to the victim organizations was less immediate and much harder to determine.  

‍

But now that they are being applied to ransomware attacks, it’s hard not to see this as simply implementing a tax on ransomware victims with the full benefit of hindsight with which to question and challenge decisions that were made when a company was not under attack.

‍

As these factors converge, organizations face the dual challenge of defending against ransomware while navigating an increasingly precarious legal and regulatory environment.

‍

Unfortunately, these sorts of actions will likely not yield better security.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.