Boeing hacked by LockBit: Ransomware and the effect on supply chains

The harsh impact of ransomware attacks continues to be felt by major global businesses.

US aerospace giant Boeing confirmed last week that its parts and distribution business had been hit by a cyber breach. This followed the earlier announcement by prolific hacking group LockBit that it had stolen a “tremendous amount” of sensitive data from the airplane and space system manufacturer.

LockBit gave Boeing until 2 November to engage in negotiations regarding payment of a ransom, after which, the hackers threatened to release all of the stolen information. While regulators and law enforcement agencies advise victims like Boeing not to pay ransoms in these situations, it is likely that a number of organisations do, in the hope of the return of their confidential information (a hope which sadly is often proved misplaced).

At the time of writing, it would appear that Boeing refused to pay the ransom, as LockBit has now stated that it intends to leak around 4GB of sample data on the dark web, with larger leaks to follow unless it sees “positive cooperation” from Boeing. It is common for hackers to publish only a chunk of stolen data in order to verify their claims, while withholding a cache of information for leverage during ransom negotiation, or for private sale to other bad actors. If those avenues prove fruitless, the information is then published in full.

The precise nature of the information which has been stolen is unclear but, given Boeing’s military connections, this could include highly confidential material which could be extremely damaging in the public domain, or in the hands of hostile nations. This will disturb not only Boeing, but also its customers (which include the US Air Force) and its long list of supply chain partners. Typically, the longer the supply chain, the higher the risk of cyber attack, as contractual relationships become further and further removed, and effective oversight of cyber resilience at each point in the chain becomes increasingly challenging.

Boston Consulting Group recently stated that “nearly all companies – 98% - have been negatively affected by a cybersecurity breach that occurred in their supply chain”. Those doing business with Boeing will want to be reassured of the smooth running of ongoing operations. While Boeing has confirmed that the issue does not affect flight safety, we expect that there will be at least some disruption to the parts of the business which were directly hit by the attack (i.e. parts and distribution). Boeing’s contracting partners will also want understand whether their information (or information relating to their customers) has been impacted by the attack, and what steps Boeing is doing to contain the incident and secure its systems.  Boeing has confirmed that it is notifying customers and suppliers affected by the attack.

Data protection in the US is regulated by the Federal Trade Commission, though it is possible that other regulators may need to become involved, particularly if the information stolen includes the personal data of individuals from outside the US.

With the largest data privacy team in Scotland, Burness Paull’s specialist lawyers provide a full range of legal services in relation to cyber security, from resilience building and compliance management to breach response and regulatory engagement. Get in touch if you’d like to find out more about how we can help protect your business.

Related News, Insights & Events