CDW Says It’s Investigating After LockBit Claims To Leak Data Trove
The IT solution provider giant is investigating a security incident that impacted its Sirius Federal subsidiary, and is ‘aware’ of claims that data stolen from the subsidiary has been leaked on the darkweb.
The LockBit cybercriminal gang claimed to leak stolen CDW data Thursday after it had demanded an $80 million extortion payment from the IT solution provider.
In a statement provided to CRN Thursday, a CDW spokesperson said the company is “addressing an isolated IT security matter” related to data on servers belonging to a subsidiary, Sirius Federal. CDW said in the statement that it is also “aware that a third party has made data available on the dark web which it claims to have taken from this environment,” and is investigating both the initial incident and the data leak claims.
An update to LockBit’s darkweb leak site Thursday, viewed by CRN, said that “all available data” allegedly belonging to CDW had been published. The page appeared to provide a link to download a 94.7 GB archive of data.
The publishing of the data presumably means that the demand went unmet by CDW as of the 2:40 p.m. ET deadline Thursday.
In its statement to CRN Thursday, CDW said that “we are addressing an isolated IT security matter associated with data on a few servers dedicated solely to the internal support of Sirius Federal, a small U.S. subsidiary of CDW-G.” The servers are “non-customer-facing” and are “isolated from our CDW network and other CDW-G systems,” the company said.
CDW’s security protocols detected suspicious activity related to the Sirius Federal servers and contained the activity, and the company “immediately” began an investigation that includes help from external cybersecurity experts, according to the statement.
“Our systems remain fully operational and at no time did we identify evidence of any risk to other CDW systems or any external systems,” the company said.
As for the claimed leak by LockBit, “we are aware that a third party has made data available on the dark web which it claims to have taken from this environment,” CDW said in the statement. “As part of the ongoing investigation, we are reviewing this data and will take appropriate action in response – including directly notifying anyone affected, as appropriate.”
LockBit, a prolific Russian-speaking cybercriminal group, claims on its darkweb site that CDW offered to pay $1.1 million out of the $80 million demand. The Register reported Friday that it was told by a LockBit representative that the group was insulted by the low amount offered by CDW.
The $80 million ransom demand is the third largest that is publicly known about, Emsisoft threat analyst Brett Callow posted on X, the site formerly known as Twitter. The only higher demands were a $240 million demand to MediaMarkt by Hive and a $100 million demand to Acer by REvil, according to a previous ranking by Equinix’s William Thomas.
Cybersecurity vendor Flashpoint has estimated that LockBit accounted for 27.9 percent of all known ransomware attacks between July 2022 and June 2023.