Chemonics International had attackers roaming its systems for months, leading to hundreds of thousands of individuals having their personal details revealed.
The US-headquartered international development firm Chemonics revealed over 263,000 people were exposed in a months-long data breach.
The company is a major international development firm and one of the largest receivers of funds from the United States Agency for International Development (USAID). For example, it is leading a $9.5 billion initiative to strengthen global medical supply chains.
According to the letter that Chemonics sent to impacted individuals, the company first noticed “suspicious activity” in mid-December 2023. As usual in data breach cases, after discovering the unusual activity, the company’s security teams “took steps to remediate, including by conducting password resets and disabling impacted accounts.”
A subsequent investigation revealed that unauthorized access began months before it was discovered, in the last days of May 2023. The attackers roamed Chemonics’ systems for over half a year.
Even though the company discovered the breach in December of 2023, the last “detection” of unauthorized access is dated almost a month after the discovery.
“The in-depth cyber forensic investigation identified evidence indicating that the unauthorized access occurred beginning on May 30th, 2023, and continued through the last date of detection on January 9th, 2024,” reads the letter.
The data breach, which exposed a quarter of a million individuals, was investigated for nearly a year, and breach notification letters were sent out almost exactly a year after the attack was first identified.
“This process took time to complete, and on October 31st, 2024, the eDiscovery process confirmed which individuals’ personal information was subject to unauthorized access,” Chemonics said.
We have contacted the company to clarify the scope and geography of the attack and why the investigation took so long to complete.
However, Chemonics responded repeating details from the breach notification, adding it cannot reveal additional details due to the sensitive nature of the issue.
“We continue to closely monitor our systems for any unusual activity. There is no ongoing unauthorized access, and the incident has been contained and remediated. We have begun sending notification letters to impacted individuals and have set up a dedicated call center to provide support,” Chemonics told Cybernews.
Meanwhile, in addition to promising to strengthen its cybersecurity posture in the notification letter, the company said it would offer impacted individuals two years of complimentary identity protection services.
Chemonics claims to be working in 100 countries around the globe with several thousand local specialists on challenges “ranging from food security and health to climate change, education, and private sector development.”
Updated on December 6th [10:00 a.m. GMT] with a statement from Chemonics.
Your email address will not be published. Required fields are markedmarked