Logitech said it has suffered a data breach after an unauthorized third party exploited a zero-day vulnerability in a third-party software platform and copied certain data from an internal IT system, the company said in a Form 8-K filing and in a public announcement.
The company said the zero-day was patched by Logitech following its release by the software platform vendor. Logitech did not identify the third-party platform that was accessed or provide dates for when the intrusion occurred or when it was discovered.
Logitech said the exfiltrated data “likely included limited information about employees and consumers, and data relating to customers and suppliers,” and that it does not believe any sensitive personal information such as national ID numbers or credit card information was housed in the impacted IT system.
The company said it does not expect the incident to have a material adverse effect on its finances or operations and that costs tied to incident response, forensic investigations, potential business interruptions, legal actions and regulatory fines will be covered either in part or in total by its cybersecurity insurance policy.
The Cl0p cyber extortion gang updated its dark web leak site last week and claimed Logitech among other victims. Universities and news organisations listed by Cl0p include Harvard University and The Washington Post, which have also recently confirmed intrusions.
Logitech did not say whether the attackers had demanded a ransom. The company said its investigation is ongoing and provided limited public detail about the incident while it continues to assess the scope and impact.