Vestas has announced that the cybersecurity incident that hit the company on 19 November involved a breach of employee’s personal data.
The Danish manufacturer said that “in order to ensure a timely notification of affected employees and business partners and due to challenges in identifying all individuals whose personal data has been compromised, Vestas has decided to provide this public notification of the personal data breach”.
It said that the hackers managed to retrieve data from the compromised internal file share systems and has made some of the compromised data public.
“There are no indications that personal data outside Vestas internal file share systems was compromised,” Vestas said.
The company’s investigation into the incident is still ongoing.
Vestas said it has received confirmation that some of the compromised data has been leaked by the attackers and potentially offered to third parties.
The investigation suggests that the hackers’ have not specifically targeted personal data, the company said.
It said the majority of the personal data includes names and contact details, including addresses, emails, phone numbers, country of residence, education, training and professional skills, pictures, information related to job applications and CVs, information related to the management of employment, salary information, employment documents, information on absence and leave, and travel information.
However, in some instances, the investigations have identified that the files retrieved by the hackers contain more sensitive categories of personal data, including information regarding marital status and next of kin, identification documents – passports, birth certificates, work permits and driver’s license – social security numbers, medical certificates, injury reports, and bank account information.
Vestas said: “It is important to reiterate that not all employees and business partners of Vestas have been affected by the cyber security incident and the majority of the compromised personal data is not of a sensitive nature.
“If Vestas, as part of the investigation, identifies individuals whose personal data is compromised, Vestas will to the extent possible notify the affected individuals, if it is assessed that this is appropriate given the risk to such individuals.
“However, due to the potential risk caused by the leak of personal data, Vestas encourages that all employees and business partners continue to stay vigilant of any indications of misuse of their personal data.”