Full Report
On June 17, 2025, Bomco became aware that certain files in its network may have been accessed by an unauthorized actor. Bomco promptly launched an investigation to determine the nature and scope of this incident. The investigation determined that an unauthorized actor gained access to certain files within Bomco’s network from June 14, 2025 to June 16, 2025, and may have copied those files. Following the investigation, Bomco undertook a detailed review of the involved files, with the assistance of third-party data review specialists, to determine what information was present in these files and to whom it relates. Bomco completed this review on April 20, 2026. Thereafter, Bomco conducted additional review of its internal records to identify contact information for individuals to make this notification. Bomco is unaware of any fraudulent misuse of information as a result of this event.
Analysis Summary
# Incident Report: Bomco Network Intrusion and Data Exfiltration
## Executive Summary
Between June 14 and June 16, 2025, an unauthorized external actor gained access to Bomco, Inc.’s network and potentially exfiltrated sensitive files. The breach was detected on June 17, 2025, leading to a long-term forensic investigation and data review that concluded in April 2026. While the investigation confirmed unauthorized file access, the company reports no evidence of fraudulent misuse of the compromised data.
## Incident Details
- **Discovery Date:** June 17, 2025 (Initial awareness); April 20, 2026 (Final determination of affected individuals)
- **Incident Date:** June 14, 2025 – June 16, 2025
- **Affected Organization:** Bomco, Inc.
- **Sector:** Other Commercial (Manufacturing/Aerospace)
- **Geography:** Gloucester, Massachusetts, USA
## Timeline of Events
### Initial Access
- **Date/Time:** June 14, 2025
- **Vector:** External system breach (Hacking)
- **Details:** An unauthorized actor gained entry into the corporate network and maintained access for approximately 48 hours.
### Lateral Movement
- **Details:** Specific lateral movement techniques were not disclosed, but the actor successfully navigated reached file storage areas containing PII/sensitive data.
### Data Exfiltration/Impact
- **Details:** The actor accessed and "may have copied" (exfiltrated) certain files. The scope included personal identifiers for employees and/or clients, including at least 4 residents of Maine.
### Detection & Response
- **Discovery:** June 17, 2025 (Initial awareness of unauthorized network activity).
- **Response Actions:** Launched investigation; engaged third-party data review specialists to perform a manual review of impacted files.
- **Completion of Review:** April 20, 2026.
- **Notification:** Written notices sent to affected individuals on May 18, 2026.
## Attack Methodology
- **Initial Access:** Hacking/External system breach.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Scanning of network files and directories.
- **Lateral Movement:** Not disclosed.
- **Collection:** Gathering files within the network environment.
- **Exfiltration:** Unauthorized copying of files (Method: Not specified).
- **Impact:** Compromise of data confidentiality.
## Impact Assessment
- **Financial:** Costs associated with third-party forensic investigators and data review specialists.
- **Data Breach:** Compromise of names and other unspecified personal identifiers.
- **Operational:** No reported disruption to production or business continuity.
- **Reputational:** Required notification to State Attorney Generals and affected individuals; potential loss of trust with commercial partners.
## Indicators of Compromise
- **Network indicators:** Not disclosed in public notice.
- **File indicators:** Not disclosed in public notice.
- **Behavioral indicators:** Identification of unauthorized file access/copying patterns.
## Response Actions
- **Containment:** Secured the network upon awareness on June 17, 2025.
- **Eradication:** Investigation into the nature and scope of the incident to remove actor access.
- **Recovery:** Review of internal records to identify contact information for notification.
## Lessons Learned
- **Key Takeaways:** There was a significant time gap (approx. 10 months) between the discovery of the breach and the final identification of affected individuals, highlighting the complexity of unstructured data review.
- **What could have been done better:** Earlier implementation of data loss prevention (DLP) tools might have alerted the team to the exfiltration in real-time rather than "after the fact."
## Recommendations
- **Prevention Measures:**
- Implement Multi-Factor Authentication (MFA) on all external-facing endpoints.
- Deploy an Endpoint Detection and Response (EDR) solution to identify hacking attempts in real-time.
- Conduct regular log audits and network activity monitoring.
- Sanitize and minimize stored PII to reduce the "blast radius" of future breaches.