Canadian aircraft manufacturer Bombardier Inc. is the latest victim of a cyberattack with stolen data published on the dark web.

Bombardier Tuesday described the attack as a “limited cybersecurity breach” that involved an “unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application.” The dark web is a shady corner of the internet where illicit goods and services, including data troves, are bought and sold.

According to the company, the data stolen included personal and other confidential information relating to employees, customers and suppliers. Bombardier then ticked off the standard list of responses follow an attack — informing those who have had their data stolen, employing third-party cybersecurity and forensic professions, and notifying appropriate authorities, including law enforcement.

Although Bombardier may have been somewhat light in providing details, where the stolen data went points to the form of attack: It appeared on a site run by the Clop ransomware gang, according to ZDNet.

Another hint as to how the attack took place is in Bombardier’s mention that access was obtained by “exploiting a vulnerability affecting a third-party file-transfer application.” Recent Clop ransomware attacks, including those targeting law firm Jones Day and the Office of the Washington State Auditor, involved exploiting a vulnerability in software from Accellion Inc.

Even though Bombardier has not confirmed that the attack involved ransomware, previous Clop attacks, including one targeting German tech giant Software AG, involved a demand for a payment of about $20 million with a threat that if the ransom isn’t paid, the data stolen in the attack would be published online.

“The breach announced by Bombardier follows a Feb. 22 announcement by Accellion acknowledging attacks against its legacy file transfer application,” John Shier, senior security advisor at security company Sophos Group plc, told SiliconANGLE. “The significance of this breach is notable not only by its latest victim but also in the aggregate of previous leaks attributed to the same criminal group and using the same vulnerability. It highlights the potential risks posed by legacy applications that are allowed to persist in production networks.”

Trevor Morgan, product manager with data security specialists comforte AG, said the lesson here is that software should always be up-to-date or replaced with next-generation software that’s supported by the vendor.

“If you think you’re safe from breaches like this, then it’s probably time you really reconsider your data security strategy and methods,” Morgan added. “Complacency is your worst enemy and if you’re still depending on security methods that protect borders and perimeters, it’s probably time to think from a more data-centric perspective. If the data is the valuable part, protect the data and not the walls around it. That’s the data-centric approach in a nutshell.”

Photo: Austrian Airlines/Wikimedia Commons