- Toymaker Mattel disclosed a ransomware attack from July 28 in a 10-Q SEC filing Tuesday.
- The attack resulted in a "number of systems" being encrypted and while the company was able to contain the attack, some operations were impacted and then restored. The forensic investigation found no evidence of business or retail customer, supplier, consumer or employee data was exfiltrated.
- The company reported "no material impact" on operations or its financial condition. However, "while Mattel carries cyber and business continuity insurance commensurate with its size and the nature of its operations, there can be no guarantee that costs incurred as a result of cyber events will be covered completely," according to the filing.
Mattel disclosed limited details in the SEC filing, though sources told Bleeping Computer the ransomware attack traced back to Trickbot.
Microsoft began pursuing Trickbot's operations in October, aiming to eliminate its critical operational infrastructure. By mid-October, the company reported disrupting 94% of its command-and-control servers and other infrastructure functions. However, Microsoft conceded "there is not always a straight line to success."
Trickbot is often the prelude to a Ryuk ransomware attack. The main threat group perpetrating Ryuk, UNC1878, used Trickbot or Emotet for initial access, though has since graduated to using BazarLoader or BazarBackdoor.
Ryuk's activity dropped off the radar between the onset of the pandemic in the U.S. until September. Potential activity in July would be an outlier. However, because Ryuk is a commodity malware, UNC1878 may not have been behind this attack.
Though Mattel said the attack didn't compromise any data, the company noted the "significant uncertainty" around privacy and data protection laws and how they are interpreted, potentially creating "inconsistent or conflicting requirements," according to the filing. Compliance for regulations, including GDPR and the CCPA, impost "significant costs and challenges that are likely to increase over time."
The California-based company faces additional privacy regulation as California residents voted on Proposition 24, or the California Privacy Rights Act (CPRA) Tuesday. If passed, the "CCPA 2.0" would prevent companies from collecting any consumer data necessary to provide their services. At the time of publication, The Associated Press tabulated 72% of California's vote, with 56% of constituents voting "yes" for the CPRA.
Mattel noted that any delay or disruption to its systems, including cyberattacks, "could lead to violations of privacy laws, loss of customers, or loss, misappropriation or corruption of confidential information, trade secrets, or data," which could unravel into greater financial ramifications. Ransomware attacks resulting in breached data tend to have lingering and less predictable financial losses.