Johnson Matthey suffers a third-party breach


Sustainable technology company Johnson Matthey has suffered a third-party data breach, revealing over 6000 employee records.

The British multinational chemical and sustainable technology company headquartered in London released a letter on March 18th revealing that it had suffered a third-party breach that occurred months prior.

The company claims to “value its employees” while being committed to guarding employees' personal information. Yet the company suffered a cybersecurity incident involving human error.

The data involved included “employment-related documents” containing employees' names, Social Security numbers, and dates of birth.

Johnson Matthey found on February 15th, 2024, that files containing the personal information of US employees had been stored on a third-party storage system.

In the breach notification letter, the company seems to suggest that it was unaware that this data had been stored on a third-party platform.

Once the company knew of the incident, it retrieved the files, removed them from the external platform, and investigated the incident.

“Through our investigation, we determined that the files were temporarily placed on the storage platform by a contractor hired to perform work for the company who inadvertently left the files on the platform following the completion of their work. While our investigation is ongoing, the company believes the documents may have been stored on the platform since 2020 without access controls,” the breach notification letter reads.

Johnson Matthey hasn’t found any evidence to suggest that these files were accessed or downloaded during the four-year period.

However, the lack of access controls on the external platform implies that adversaries could have easily accessed the data.

Furthermore, the company has searched external websites and repositories for the data and hasn’t identified any copied or stolen employee information.

Johnson Matthey is offering two years of identity protection as compensation for the incident.

The company responded to our request for comment stating that "the incident relates to the personal information of our JM workforce based in the US that was inadvertently left on a third-party storage platform by a contractor hired to work for JM. Upon learning of the situation, all files were immediately located and removed."

A representative of Johnson Matthey claims that there is "no evidence to suggest that the files were accessed or downloaded, and we found no evidence of any personal information relating to this incident on external websites or repositories."

Furthermore, the company "are taking steps to ensure this does not happen again, including a review of our third-party data handling protocols and what additional steps are needed to enhance the protections we already have in place."