Thought Leadership
The cybercrime group ShinyHunters claims to have stolen nine million records and several terabytes of internal information. Medical technology company Medtronic confirms unauthorized system access, but remains silent on the ransom question.
US medical technology manufacturer Medtronic has fallen victim to a cyberattack. The company officially acknowledged the incident after the notorious extortion group ShinyHunters listed the corporation on its leak site and threatened to publish stolen data.
Medtronic is one of the world’s largest medical technology corporations, employing more than 95,000 people across 150 countries. Its product portfolio ranges from pacemakers and insulin pumps to surgical robots.
Products and patient safety reportedly unaffected
In a statement, the company is trying to reassure the public. No impact has been identified on products, patient safety, customer connections, manufacturing, distribution, or financial reporting systems. The networks for corporate IT, products, and production are separated from one another. Hospital networks are also kept separate from Medtronic’s IT and are operated by the hospitals’ own IT departments, the company says.
Whether personal data has been leaked remains an open question for now. The company merely states that it is working to identify which personal information may have been accessed.
ShinyHunters claims nine million records
The ShinyHunters group listed Medtronic on its leak platform on April 17. According to the extortionists, more than nine million records containing personal information and several terabytes of corporate data were allegedly stolen. Medtronic was given until April 21 to pay a ransom, otherwise the data would be published.
The entry has since disappeared from the leak site. In the scene, this is usually seen as an indication that the victim has paid, though this has not been confirmed in this specific case. Medtronic has so far not commented on the matter.
ShinyHunters has been active in the cybercrime scene for years and has been linked to the theft of large customer datasets from companies including AT&T, Santander, and Ticketmaster.
Diabetes subsidiary MiniMed reports to the SEC
The incident is particularly sensitive with regard to the corporation’s diabetes division. The subsidiary MiniMed, which manufactures insulin pumps and continuous glucose monitoring systems, stated in a mandatory filing with the US Securities and Exchange Commission (SEC) that its own IT systems were not affected by the incident.
It thus remains unclear which data exactly fell into the hands of ShinyHunters and whether sensitive health or patient data is among them. The medical technology industry is repeatedly targeted by cybercriminals. Just recently, the medical technology manufacturer Stryker was affected.
