On March 14, 2023, Lightcast alerted customers to a security incident which caused a temporary disruption to Lightcast services. We have provided periodic updates about the incident as we have investigated the cause and extent of the intrusion and sought to restore services. The purpose of this letter is to give a final report of the investigation into the incident, what we have learned from it, and how we are improving our security for the future.
Some key points include:
The initial intrusion was on March 14 and remediation began immediately;
No further malicious activity has been detected since March 15;
An outside forensic investigation has found no evidence of a data breach, staging, or exfiltration; and,
We are confident it is safe to connect to Lightcast services.
We want to thank you for your patience while we conducted our investigation. In aiming for responsible disclosure, we have done our best to balance speed in sharing information with maintaining the integrity of our investigation.
On March 14, 2023, our data security team received an alert from our endpoint security platform of suspicious activity at one of our data centers in Boston, Massachusetts. This alert initiated a deeper review by Lightcast’s security team. After looking into the matter, our security team concluded that a third-party had gained unauthorized access to the data center and immediately took steps to isolate the environment and cut off access. Although this action caused an outage of some Lightcast services, we felt it was necessary under the circumstances.
Beginning on March 14 and continuing on March 15, we implemented a number of security measures to ensure the intrusion was contained and shore up Lightcast’s security defenses. On March 15, 2023, Lightcast’s security monitoring systems reported no further suspicious activity. We immediately engaged a cyber security firm to investigate the source of the intrusion, the extent of the intruder’s access, and what, if any, data was compromised.
The third-party forensic investigation team spent approximately four weeks investigating the incident. They concluded from the investigation that the intruder likely gained access using compromised credentials via a remote VPN. Once the intruder gained access, they moved across systems before deploying ransomware. The prompt action by Lightcast’s security team interrupted the attack before it was complete.
The investigators further concluded that the intrusion was contained to a single Lightcast data center. They found no evidence that the intruder accessed any other Lightcast or customer-connected networks. Significantly, the investigator concluded that there was no evidence of data staging or data exfiltration.
Based upon these facts, we do not believe that any customer data was compromised in the incident or that any of these facts or circumstances give rise to any breach notification obligations.
How do we know it is safe to connect to Lightcast services?
We are confident that customers can safely connect to Lightcast services. We have taken extraordinary measures to restore services as quickly as possible and to ensure that the services are secure. The intrusion resulted in outages in the following services to customers:
NOVA feed delivery
LENS Metered On-Premise installations
Other Lightcast products continued to function, but the attack also affected our ability to process new job posting data.
We have taken numerous steps since becoming aware of this attack, both to close the attack vector and add additional layers of security, including the following:
Proactively reset all user account credentials company-wide.
Implemented monitoring and alerting for the specific behaviors and executables we identified in this incident.
Erected a separate, new production environment and restricted access to the new environment to avoid cross contamination from the affected environment.
Ensured the following security measures were in place:
Multi-factor authentication for all VPN connections
AWS Shield Advanced
Endpoint detection and response
Conducted third-party penetration testing to identify and remediate vulnerabilities.
The affected servers have not been reconnected to the Lightcast network or been brought back online and we do not intend to do so. All affected services have been restored on our new data infrastructure and all posting data is up to date.
We know that security work is never done. In addition to closing this particular vector, we have also performed enhanced and ongoing reviews to ensure a stronger defense against potential attacks.
Information that may help your team with its security assessment
With the help of the forensic investigation team, we have recently confirmed additional details that may help customers in their audits and investigations. The forensic investigation team compiled the this list of indicators of compromise (IOCs) associated with the malicious actor.
What we learned from this incident
We learned that no matter how sophisticated our security tools and systems are, there is always room for improvement. The authentication, security, and tracing tools we had in place allowed us to comprehensively diagnose and remediate the issue. As the tactics of malicious actors change, we are continuously evolving our security standards and implementing best practices to stay ahead of future threats.
We know there is no convenient time to respond to a security incident on a critical system, and we want to sincerely thank all of our customers for their understanding and support following this incident. We understand that customers may want to conduct their own assurance activities and we welcome the opportunity to work with you and deepen the relationship between our companies. Thank you for your support and patience as we worked to resolve this incident.