On November 22, 2020, Merrill Steel detected unauthorized activity on certain of its computer networks. That unauthorized activity was limited to one day, lasted only a few hours on that day, and, upon discovery, steps were taken to limit its scope. Despite those steps, the unauthorized access did nonetheless result in what is sometimes referred to as a “ransomware” attack such that certain of Merrill Steel’s files were encrypted with no available means to decrypt them.
Merrill immediately engaged IT and cyber security experts to investigate the incident, determine its scope and assist in obtaining the tools necessary to decrypt the affected files while also restoring our systems. Although that investigation remains ongoing and could yield a different outcome, Merrill has not currently found evidence that information on our systems was subjected to anything more than the unauthorized encryption. Put another way, we have not yet uncovered any evidence that personal information was taken and subjected to misuse. The information subjected to unauthorized encryption was only that of our employees (to our knowledge thus far, no personal or sensitive information of our customers was affected) but did include the following elements of personal information about those employees and certain of their spouses and dependents:
- names, address, dates of birth,
- direct deposit information,
- health insurance information, and
- Social Security numbers.
Out of an abundance of caution, Merrill Steel notified the affected individuals so that they could take steps to further protect their personal information. To assist them in doing so, Merrill Steel procured, for all affected employees, spouses and/or dependents, credit monitoring and other identity protection services. As the affected information included data governed by the Health Insurance Portability and Accountability Act or “HIPAA” we have notified and are working with the relevant HIPAA authorities. We issue this press release regarding what we would otherwise consider a closed and satisfactorily resolved matter posing no further threat, in order to satisfy our HIPAA obligations.
Since the time of the event, the talented employees of Merrill Steel have been working hard to recreate and restore the impacted systems and to further strengthen security systems to protect against a similar event occurring in the future.