Charles River Laboratories discloses a breach, but details are lacking

From their SEC filing:

On April 30, 2019, Charles River Laboratories International, Inc. (the “Company” or “Registrant”) notified clients of unauthorized access into portions of its information systems.  Promptly upon detection of unusual activity in its information systems in mid-March, the Company commenced an investigation into this incident, coordinated with U.S. federal law enforcement, and engaged leading cybersecurity experts.  Charles River also began to promptly implement a comprehensive containment and remediation plan.

While the investigation is ongoing, the Company has recently determined that some client data was copied by a highly sophisticated, well-resourced intruder.  The number of clients whose data is known to have been copied represents approximately 1% of Charles River’s total number of clients.  The percentage of clients affected does not necessarily equate to the potential revenue or financial impact related to this incident, which the Company has yet to determine.  There is no indication at this time that any of the client data the Company has identified as having been accessed during this incident was deleted, corrupted, or altered. Charles River has taken steps to contact all clients whose data is known to have been copied.

The Company continues to move aggressively to further secure its information systems, which includes adding enhanced security features and monitoring procedures to further protect its client data. While Charles River has taken substantial steps to minimize unauthorized access into its information systems, until its ongoing remediation process is complete, the Company will be unable to determine that this incident has been entirely remediated. However, Charles River believes it has closed the point of entry employed by the intruder in connection with this incident.  The Company has not observed any further indications of continued unauthorized activity in its information systems.

For information on this incident, please visit a dedicated website at www.criver.com/cybersecurity. Information set forth on that website is not incorporated herein by reference.

They never say what kinds of client data were compromised. Boston Business Journal reports that it was biotech and pharma clients who were affected and some drug developers’ data was copied, but it’s not clear whether there is any PII or PHI involved. Not even in their more extensive document with FAQ does Charles River identify data types. How odd. DataBreaches.net has emailed them to inquire.

Update: Amy Cianciaruso. Corporate Vice President, Public Relations & Corporate Communications for Charles River responded to this site’s emailed inquiries, stating, “At this time, we are only providing the information available in the 8K.”  She did not answer this site’s questions but did tell another site that the data would not have included patient data. Read more on MedCity News.

About the author: Dissent

Comments are closed.