147GB Data Breach: Qilin Targets French Biotech Firm PathoQuest
Today, a cyberattack was discovered against PathoQuest, a biotech company headquartered in Paris with a U.S. branch in Wayne, Pennsylvania, carried out by the RaaS (Ransomware-as-a-Service) gang Qilin.
Attackers exfiltrated 147 GB of data, totalling 171,577 files. Furthermore, they published 7 photos showing proprietary documents and personally identifying information (PII) as proof of the data breach.
The screenshots contain the following PII, exposing employees of PathoQuest SAS (France) and PathoQuest Inc (USA) to possible identity theft and social engineering attacks:
- Contact details containing the first and last names of sponsors and contractors
- Sponsors/Contractors phone numbers and email addresses
- Names and email addresses of certificate recipients and their security level
- DocuSign digital signatures
- IP addresses of certificate recipients
The attack goes deeper because the gang disclosed they had exfiltrated far more than what the screenshots reveal.
In Qilin’s dramatic description of the attack, they alleged to have stolen the following:
- All data pertaining to PathoQuest’s daily operations
- Information on all PathoQuest’s clients
- Proprietary research,
- Personal information on all PathoQuest employees
- Financial documents
- Company work plans for the coming years
Reputational Harm: Accusations of Regulatory Fraud
It is important to note that ransomware groups go straight for the throat by elevating a company’s reputation, using language that praises its innovation and stature, and then, in the same breath, revealing how it failed to protect its digital assets. This psychological tactic is pure theater, designed to increase pressure on victims and compel them to pay.
The ransomware gang left the following message on their leak site, where they briefly allege that official reports submitted by clients to regulators might not match what those same clients told government regulators, which could potentially be an explosive revelation if factual, as it would raise questions about regulatory compliance, data integrity, and honesty. Bear in mind, this is merely an allegation made by a group of data extortionists until independently verified by proper regulatory authorities.
“It is particularly emphasized that the company follows the strictest protocols for ensuring biological safety. At the same time, they were unable to ensure the security of their computer systems. Absolutely all of the company's developments were made publicly available. In addition, the published data contains information on all of the company's clients, as well as actual research, which may differ from the information that customers submit to regulatory authorities. The personal data of all employees, financial documents, and the company's work plans for the coming years have also been published. The leak could seriously damage the company's public image and destroy its reputation.”
Although the language in the message suggests that the data has already been made public, it does not appear to be made available yet on Qilin’s leak site.