UFP Technologies disclosed in a filing with the U.S. Securities and Exchange Commission that it detected suspicious activity on its IT systems on February 14 and that a third party stole data from compromised systems.
KEY FACTS
- Incident detected February 14
- Data stolen from compromised systems
- Affected functions billing and label making for customer deliveries
- Company size about 4,300 employees, $600 million annual revenue and $1.86 billion market cap
UFP immediately deployed isolation and remediation measures and engaged external cybersecurity advisors to investigate.
Preliminary results show the threat has been removed but the attacker was able to steal data and certain company or company-related data appear to have been destroyed. The data destruction suggests a ransomware or wiper attack, though the nature of any malware remains unclear.
At this time the company has not determined whether personal information was exfiltrated. If confirmed, notifications will be sent to impacted individuals as required by law.
Despite the incident the company reports its primary IT systems remain operational and, based on current evidence, it is unlikely the incident will have a material impact on operations or financials.
WHY IT MATTERS
The incident affected billing and label making tied to customer deliveries which could disrupt shipments. Potential data theft and destruction also create regulatory and customer-notification obligations if personal information is involved.