U.K.-based medical technology company Tissue Regenix acknowledged on Tuesday that it took its systems offline after an unauthorized party accessed them and those of its U.S.-based third-party IT service provider.
According to a report from Reuters, the Leeds-based company said the shutdown will negatively impact its ability to manufacture products at its U.S. facility in the short term. U.K.-based and financial systems are apparently not affected.
Tissue Regenix reportedly has not indicated when the intrusion took place or when it was discovered. The company did say that it has hired experts to investigate the intrusion and has also contacted legal officials.
On its website, Tissue Regenix describes itself as a company "focusing on the development of regenerative products utilizing our two platform technologies" – one that addresses soft tissue needs, and another that provides inductive bone allografts. Its three areas of medical specialization are biosurgery, orthopedics and dental, and cardiac. SC Media reached out to Tissue Regenix for further comment on the incident.
Reuters reported that shares in the company dropped as much as 22 percent following the announcement.
"The Tissue Regenix cyberattack is a stark reminder for manufacturers – and all organizations – that they are only as secure as their supply chain. Cybercriminals continue to attack unsuspecting third parties, including IT service providers, as a stepping stone to infiltrate larger enterprises," said David Higgins, EMEA technical director at CyberArk. "As manufacturing companies continues to be fruitful targets – especially those in the medical device market where IP and trade secrets are highly sought-after – their financial well-being will be increasingly linked to their ability to identify and protect critical assets. And while it's not always possible to control the security posture of the companies we work with, it is entirely possible to control what happens should an attacker gain a foothold."
David Pearson, principal threat researcher at Awake Security, said the incident demonstrates that companies working with third-party partners "must take steps to ensure that those contractors are working to safeguard their mission-critical information. For example, identifying trained and experienced individuals with certifications and skillsets that can pivot quickly toward managing and maintaining a third-party risk management (TPRM) policy is a significant step to this. Also, simply identifying the contractors and understanding how they differ is critical. When one knows the systems used by third-party contractors, it becomes much clearer to assess what risk the organization is dealing with."