Common security questions, June 27 malware incident

On June 27, 2017, Nuance was the victim of a sophisticated cybercrime, which affected companies around the world. We know that some of our customers have questions about the incident and the actions we have taken to recover our systems and enhance our security. We’ve provided answers to many of these questions within this blog post.
By
Nuance answers common customer questions about the June 27 malware incident

On June 27, 2017, Nuance was the victim of a sophisticated cybercrime, which affected companies around the world. In response, we rapidly initiated an emergency shut down of our global network and suspension of all data backups to limit the spread of the malware within our systems. Our first priority was to contain the incident and protect our customers. We continue to investigate the incident with the help of third-party experts and are cooperating with law enforcement.

Importantly, as we have previously said, we have no indication that customer data has been lost or removed from our network. We have made rapid progress in restoring our systems safely with enhanced security. As computers and systems are brought back online, we are adding further security controls as we work to restore full functionality for our customers.

We know that some of our customers, particularly in healthcare, have questions about the incident and the actions we have taken to recover our systems and enhance our security.  In an effort to be as responsive as possible, we wanted to provide answers to the following frequently asked questions:

 

What is the malware that affected Nuance’s systems?

The malware that affected Nuance was NotPetya, a new variant of malware that affected organizations worldwide.

 

Has customer data been lost or removed from the network?

We have no indication that customer data has been lost or removed from our network. The NotPetya malware was not designed to copy or extract any file contents (including customer data) from affected systems.

 

Is it safe to open email from Nuance?

Nuance’s analysis of the NotPetya malware, as well as the published analyses of multiple third-party security researchers, indicates that this malware does not spread via email, by email attachments, or by infecting other files. Based on these findings, emails and attachments from Nuance are free of the NotPetya malware. You should always follow standard secure email practices when interacting with emails from Nuance or other senders.

 

Is it safe for Nuance employees to connect to customer systems, including through VPN? 

Nuance has a process to vaccinate or inoculate its Windows systems, which includes confirmation of antivirus and the installation of the highly sophisticated endpoint tools, as well as other tools that contain updated signatures. Based on these processes, Nuance laptops and desktops are free of the NotPetya malware and it is safe for Nuance professionals to interact with customer systems as they normally would.

 

Were patches able to stop the malware?

Unlike some malware, patching alone would not have arrested the propagation of NotPetya. As well as having the ability to exploit unpatched systems, this highly sophisticated malware also leveraged native capabilities and functionality inherent within Microsoft Windows giving it the ability to propagate into and through patched systems.

 

What is Nuance doing to prevent this from happening again?

We have taken measures to enhance our security posture against similar future incidents in consultation with third-party experts. These additional measures focus on hardening the security configurations of endpoints, deploying advanced endpoint protection and detection software, and enhancing network security measures to ensure we emerge from this with a safer and more secure operating environment.

 

 

Additional information for our Healthcare Customers:

 

Have any doctor voice profiles been lost?

We have no indication that voice profiles have been lost.

 

Does the incident constitute a breach under the HIPAA Breach Notification Rule?

Nuance has determined that the Incident constitutes a “security incident” for purposes of the HIPAA Security Rule, but does not constitute a breach of unsecured PHI for purposes of the Breach Notification Rule. More details and our working conclusion can be found here.

Doug Graham

About Doug Graham

Doug Graham is the Chief Security Officer at Nuance Communications. Prior to his appointment in this position, he served in various security leadership roles at EMC including Chief Security Officer for Mozy, Business Information Security Officer for EMC’s Cloud Services Division, Senior Director of Information Security for the Global Security Office, and as a Solutions Partner within EMC Consulting. Doug also acts as an advisor to startup companies on security product strategy and business development. With over two decades of experience spanning information and physical security disciplines in the U.S. and Europe, Doug brings a strong balance of leadership, businesses acumen, and technical ability to the security arena. Doug is a graduate of the No.1 Radio School of the UK’s Royal Air Force where he served in an air defense and information warfare capacity. He holds a bachelor’s degree in business information systems and an MBA from the University of Phoenix.