For the first time, the automotive supplier has publicly commented on the outflow of data.
(Photo: dpa)
Dusseldorf According to the company, it will still take “several weeks” to process the cyber attack on Continental. The Dax group announced this in a post on its website on Monday. It is the first time since the attack became known in the summer that the company has issued a public statement on the status of the investigation.
Conti announced the attack himself in August. At that time it was said that the attack had been averted. The Handelsblatt reported at the beginning of November that the hackers had stolen around 40 terabytes of data from the Dax group – apparently including sensitive data from customers such as Volkswagen, information about supervisory board meetings and correspondence from the chief controller Wolfgang Reitzle.
Active and former employees are also affected. A list of the stolen data that the hackers published on the dark web suggests that personal data such as salary letters, ID cards, application letters and birth certificates fell into the hands of the cybercriminals.
Continental has now published eight questions and answers on its website, which are primarily aimed at its own employees. It states that the group, as an employer, is doing everything “to analyze and evaluate the data with regard to possible sensitivity to sensitive personal data”.
Top jobs of the day
Find the best jobs now and
be notified by email.
Due to the ongoing investigation, Conti cannot yet say what the consequences will be “for potentially affected employees and other reference groups of the company”. The Dax group also does not provide any information on the possible economic consequences in the announcement.
Hackers used “stealth malware”.
The reason for the lengthy internal investigations is, on the one hand, the extent of the data leak. The company had to analyze more than 55 million file entries from the list on the dark web. On the other hand, “extensive legal framework conditions must be observed” during the test – for example in the area of data protection.
The General Data Protection Regulation (GDPR) stipulates that companies must inform those affected by data leakage if there is “a high risk to personal rights and freedoms”. If the notification of each individual is disproportionately complex, a public announcement must be made, for example.
According to a group spokesman, the notification that has now been published was made independently of the GDPR requirements. The questions and answers are therefore “a fundamental transparency measure”. Conti is still in contact with the data protection authorities.
The company said it was “working with a reputable auditing firm” to analyze the data. According to Handelsblatt information, this is KPMG. The “Frankfurter Allgemeine Zeitung” reported about it first.
In the announcement on Monday, the group also confirmed information from the Handelsblatt on the first results of the forensic analysis. Accordingly, the attackers gained access to the systems “by means of camouflaged malware” that was executed by a single employee.
The Conti data itself has not yet been published. The cybercriminals initially demanded $50 million for the data set. Last week, they lowered the price to $40 million. Continental emphasizes that the group will not accept ransom payments.
More: The chronology of the hacker attack at Conti