Ransomware, Privacy, Threat Management

MKS Instruments hit with lawsuit following ransomware attack

Main microchip on the motherboard

A former employee at MKS Instruments is leading a class action lawsuit following a ransomware attack against the semiconductor chipmaker in February, saying the company’s negligent cybersecurity led to the unauthorized and unnecessary breach of personal identifying information.

On Feb. 13, MKS discovered it was the victim of a ransomware attack, which impacted business systems and delayed or disrupted the company’s ability to process orders, ship products and provide other services, according to comments made by CEO John Lee in a Feb. 28 earnings call.

According to a complaint filed March 3 in the Orange County Superior Court of California, “John Doe” is a former employee at MKS Instruments’ Irvine branch office. Doe and others provided personal and medical information to their employer, information that the company said may have been stolen and exfiltrated during the attack.

A footnote claims that the plaintiff is filing under the name “John Doe” based on California laws that allows the use of pseudonyms in cases involving healthcare information in order to protect their privacy and prevent harassment of a healthcare patient.

The suit claims that by not adequately protecting that information, MKS Instruments violated data protection requirements in the California Confidentiality of Medical Information Act, the California Consumer Privacy Act and other state laws. It also claims that the company may have stored such data in an unencrypted state, allowing hackers to make off with usable information that could lead to identity theft, fraud and other threats for affected victims.

The lawsuit is seeking unspecified monetary damages and payment of attorney fees resulting from the incident.

“MKS had the resources necessary to protect and preserve confidentiality of Plaintiff’s and the Class’ medical information and personal information in their possession, but neglected to adequately implement data security measures as required by the CCPA and the CMIA, despite their obligation to do so,” the complaint states.

The complaint cites a notification sent by MKS Instruments to the affected parties stating that the company was investigating the incident and could not rule out the possibility that personal data for employees and others may have been exfiltrated.

What data may have actually been stolen is unknown at this time, but the universe of information potentially exposed is vast. Among the information listed by the company were names, contact information, addresses, government ID numbers, work login credentials and passwords, marital status, veteran status, nationality, immigration status, race, religious beliefs, education, employment history, dates of birth, gender, sexual orientation, bank account information, payment card information, compensation and equity, hours worked, information about disabilities, health and medical conditions, health insurance information, and children and emergency contacts.   

MKS reports high losses, legal costs associated with ransomare attack

MKS Instruments disclosed the lawsuit in a Securities and Exchange Commission filing this week, saying “we have incurred costs, and we expect to continue to incur costs, which may be significant, in connection with efforts to investigate the incident, assess the impact of the incident, recover our systems, enhance our data security and protect against unauthorized access to, or manipulation of, our systems and data.”

The company reported it has taken on a variety of costs associated with the event, including hiring of third-party consulting services, forensic experts, restoration experts, legal counsel, and other information technology and accounting professional expenses, enhancements to our cybersecurity measures, costs to restore systems and access data, and employee-related expenses like increased overtime.

Terry Dennehy, vice president and senior credit officer for Moody’s Investors Service, said the ransomware attack and fallout was “credit negative” for the business.

“The financial ramifications, temporary manufacturing delays, and the class action lawsuit underscore the potential cascading impacts of any cyber incident and the need to bolster cybersecurity across the industry,” Dennehy said in a statement.

The filing also noted that it’s possible additional lawsuits or government sanctions could arise as a result of the attack.

“While we intend to vigorously defend this lawsuit, and any additional such lawsuits, in light of the inherent uncertainties involved in such proceedings, we may incur losses associated with any such proceedings,” the company stated.

The company’s initial projections estimate for first quarter revenues of $1 billion was reduced by $200 million because of the incident, MKS Instruments' Chief Financial Officer Seth Bagshaw said in a February earnings call two weeks after the incident was discovered. He also expressed optimism that the business would make up that shortfall in the second quarter.

Businesses are increasingly facing legal action from users, customers, employees and other victims when they suffer a data breach, often under the argument that they could have done more to bolster their cybersecurity and prevent unauthorized access. Companies like SolarWinds and a range of entities in the healthcare sector have faced similar lawsuits, many of which are eventually settled out of court.

Tyson Benson, an intellectual property and cybersecurity attorney at ZF Group, told SC Media that despite the fact that the lawsuit is being led by a former employee, there are few specific allegations demonstrating direct negligence on the part of MKS Instruments. While ransomware attacks typically involve the exfiltration of sensitive data, the company's notice only said that such data may have been stolen. Meanwhile, the complaint doesn't offer any direct evidence that personal data was left unencrypted, and that claim appears to be an inference on the part of the plaintiff's lawyers based on MKS' notification letter.

"There's no specific facts that the complaint points to. This very well could be a situation where MKS had all their stuff exfiltrated: trade secrets, confidential information, personal data of all their employees — but we don't know that," said Benson. "That's what discovery is for and that's what the argument would be ... but this is one of those [cases that] is lacking on specifics."

A call to one of the law firms representing the plaintiffs, Cohelan, Khoury and Singer, was not returned by press time. A public relations firm representing MKS sent SC Media a statement saying “as a matter of policy, we don’t comment on pending litigation.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.