Wind River Systems Investigating Possible Data BreachCompany: Social Security Numbers and Other Data May Have Been Exposed
Embedded software vendor Wind River Systems is investigating a security incident and possible data breach, according to a notification filed with the California attorney general's office.
The security incident happened around Sept. 29, 2020. At that time, Wind River found that one or more files, which contained personally identifiable information, had been downloaded by an unknown third party, according to the breach notification filed in California.
In the report, Wind River did not provide information on the number of people affected and whether the incident involved employees, customers or both. The company did say that the exposed data includes Social Security numbers, passport and visa details, dates of birth and driver's license numbers, as well as health information and financial account information.
Wind River notes that it is working with law enforcement officials and third-party security experts to investigate the incident. "However, we have no indication that any information in the affected files has been misused. Recent searches by our experts did not uncover any of these files online," the notification states.
Alameda, California-based Wind River is known for developing code for intelligent connected systems, embedded software, development tools and simulation technology. It also produces industry-specific products for the aerospace and defense industries as well as organizations in the industrial and automotive fields.
A spokesperson for Wind River could not be immediately reached for comment on Wednesday.
Wind River has yet to provide details on how the attackers were able to compromise the files in its network. The company, however, notes that it has installed additional security monitoring tools and implemented new processes and says it will focus on improving the cyber resiliency of its network.
Other Wind River Incidents
This is not the first cyber incident at Wind River. In 2019, security researchers with security vendor Armis disclosed 11 different zero-day vulnerabilities within VxWorks, a real-time operating system owned and maintained by Wind River (see: 'Urgent/11' Vulnerabilities Affect Many Embedded Systems).
Unlike Microsoft Windows or Linux, these types of operating systems are found in various embedded and internet of things systems. They typically process data quickly and allow for a high degree of reliability.
The operating system is used in some 2 billion embedded systems that include medical devices, routers, VOIP phones and mission-critical infrastructure equipment.
Researchers had said that this collection of vulnerabilities, which Armis called "Urgent/11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user.