Full Report
On March 21, 2026, we learned that a threat actor group had accessed and encrypted the network at one of our office locations. We immediately informed our IT Security Consultants and shut down our servers. We also engaged with a specialized Forensic IT firm and Cyber Counsel to investigate and remediate the situation. These experts worked with our IT personnel to assess the scope of the situation and to recommend additional security measures. The forensic team confirmed the unauthorized access to our servers on March 21, 2026. The forensic experts contained the incident on March 23, 2026, but the restoration process of our network and servers is still on-going. While the forensic experts confirmed that the threat actor group gained access to the data on our network, the full extent was not known until May 9, 2026.
Analysis Summary
# Incident Report: Ransomware Encryption and Data Exfiltration at Ampex Data Systems Corp.
## Executive Summary
On March 21, 2026, Ampex Data Systems Corp. identified a ransomware attack involving the unauthorized encryption of network files at one of its office locations. Following a forensic investigation, it was determined that a threat actor group had accessed sensitive data belonging to 3,723 individuals. The incident resulted in significant operational disruption, requiring a multi-month recovery and investigation process that concluded in May 2026.
## Incident Details
- **Discovery Date:** March 21, 2026 (Initial discovery of encryption); May 9, 2026 (Full scope of data breach confirmed).
- **Incident Date:** March 19, 2026 (Per breach notification filing).
- **Affected Organization:** Ampex Data Systems Corp.
- **Sector:** Other Commercial (Aerospace/Defense technology)
- **Geography:** Hayward, California, USA
## Timeline of Events
### Initial Access
- **Date/Time:** March 19, 2026
- **Vector:** External system breach (Hacking)
- **Details:** A threat actor group gained unauthorized access to the corporate network via an external-facing system.
### Lateral Movement
- **Details:** Following initial access, the threat actor moved through the network to reach the servers at a specific office location to facilitate broad encryption.
### Data Exfiltration/Impact
- **Details:** The threat actor group accessed and encrypted network folders. The forensic investigation later confirmed that personal identifiers and sensitive information were accessed prior to or during the encryption phase.
### Detection & Response
- **March 21, 2026:** Ampex discovered the encrypted network and immediately shut down servers to prevent further spread.
- **March 21–23, 2026:** Forensic IT experts and Cyber Counsel were engaged. Unauthorized access was confirmed.
- **March 23, 2026:** Forensic experts contained the incident.
- **May 9, 2026:** The full scope of the data compromise was finalized, confirming the identities of the affected individuals.
- **May 26, 2026:** Subject notification letters were issued to affected residents.
## Attack Methodology
- **Initial Access:** External hacking of network systems.
- **Persistence:** Not explicitly disclosed; likely maintained via compromised credentials or backdoors prior to encryption.
- **Impact:** Encryption of network and servers (Ransomware), leading to operational downtime.
## Impact Assessment
- **Financial:** Costs associated with forensic firms, cyber counsel, and 12 months of identity theft protection services for 3,723 individuals.
- **Data Breach:** Compromise of personal identifiers/names for 3,723 individuals.
- **Operational:** Servers were shut down for containment; restoration process was described as "on-going" well after the containment date.
- **Reputational:** Public disclosure via the Maine Attorney General’s office.
## Indicators of Compromise
- **Behavioral indicators:** Mass encryption of server files, unauthorized server shutdowns, and presence of threat actor tools discovered during the March 21-23 forensic window.
## Response Actions
- **Containment measures:** Immediate shutdown of servers and isolation of the affected office network.
- **Eradication steps:** Engagement of specialized forensic firm to identify and remove threat actor access points.
- **Recovery actions:** Ongoing restoration of network and servers from backups; implementation of "additional security measures" as recommended by experts.
- **Victim Support:** Provision of 12 months of identity theft protection services.
## Lessons Learned
- **Visibility Lag:** There was a significant gap (March 21 to May 9) between the discovery of the encryption and the full understanding of what data was exfiltrated.
- **Containment Speed:** While the breach was discovered on the 21st, containment was not fully achieved until the 23rd, emphasizing the need for rapid isolation protocols.
## Recommendations
- **Network Segmentation:** Ensure that office-specific networks are segmented to prevent a single point of entry from compromising the entire corporate infrastructure.
- **Enhanced Logging:** Implement robust data egress monitoring to provide faster clarity on what data is being exfiltrated during an encryption event.
- **Endpoint Detection and Response (EDR):** Deploy EDR tools to identify "hacking" behaviors (lateral movement, credential dumping) before the final encryption phase.