Lumen Discloses 2 Cybersecurity Incidents Impacting Some Customers, Operations

Additional damage to customers is likely, said one cybersecurity expert.

Edward Gately, Senior News Editor

March 28, 2023

3 Min Read
Incident response
Shutterstock

Lumen Technologies has confirmed two cybersecurity incidents – a ransomware attack and non-ransomware incident – impacting what it says are a limited number of customers.

Lumen disclosed the cyberattacks in a filing with the U.S. Securities and Exchange Commission (SEC).

“A small handful of our enterprise customers were recently affected by a security incident,” it said. “Our priority is service restoration, but we’re also simultaneously investigating the cause. At this time, we have no evidence that points to direct customer application access. We thank our customers for their patience.”

Lumen said, to be clear, “we do not believe either of the cyber events are material.”

“One of the many changes we’ve made at Lumen is a greater emphasis on trust and transparency,” it said. “This is why we made a disclosure. We believe we’ve taken the necessary steps to insulate our customers and ourselves from the effect of this incident. We haven’t seen any non-U.S. data impact. As we know more, we will reassess.”

Details of Lumen Cybersecurity Incidents

Last week, Lumen discovered that a malicious intruder had inserted criminal ransomware into a limited number of the company’s servers that support a segmented hosting service. This intrusion is degrading the operations of a small number of the company’s enterprise customers.

“Second, the company’s recent implementation of enhanced security software has led to its discovery that a separate sophisticated intruder accessed a limited number of the company’s internal IT systems, including conducting reconnaissance of these systems, installing malware and extracting a relatively limited amount of data,” it said. “Based on its ongoing investigations … and information known at this time, the company does not believe the incidents have had or will have a material adverse impact on its ability to serve its customers or its business, operations or financial results.”

Lumen’s Response

Following these incidents, Lumen took a series of measures to assess, contain and remediate the incidents. Initial steps to safeguard the integrity of its IT systems included working with outside forensic firms to contain the incidents and implementing business continuity plans to restore functionality to its customers’ operational and business systems.

“In addition, Lumen notified law enforcement and regulatory authorities, and impacted customers, launched investigations, and took additional steps to safeguard the company’s systems,” Lumen said. “The company continues to evaluate potential responses to the ransomware attack.”

In addition, Lumen continues to assess the potential impact of both events. That includes whether any personally identifiable or other sensitive information has been exfiltrated. Lumen continues to work with several external advisors, impacted customers and relevant authorities to assess and mitigate the impacts from these incidents.

Fallout Likely

Mike Parkin is senior technical engineer at Vulcan Cyber.

Parkin-Mike_Vulcan-Cyber.jpg

Vulcan Cyber’s Mike Parkin

“Lumen claims that the attackers were only able to affect a limited number of systems, and without evidence to the contrary there’s no reason to doubt them,” he said. “However, it’s likely that there will be fallout in lost customer confidence and possible additional damages to the customers themselves.”

Without knowing the specifics, it’s impossible to say if the attacks could have been prevented, Parkin said. However, the answer is usually yes.

“They have announced the events happened, which is good,” he said. “They’ve informed their customers about what happened, which is also good. And we can assume their customers were given more information than was given to the general public. But the report didn’t reveal anything about the attack vector, malware strain or what new defense discovered the second attack. There’s also no information on how long either attacker was there, though it’s implied that the second attacker may have been there for awhile. So, from an external analysis perspective, no, they didn’t reveal enough, at least yet, to learn anything useful that might help prevent other attacks.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

AgentsVARs/SIs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like