The first breach appears to have taken place on 8 January and came to light through the draft of a notice sent to affected parties by the company. It was published online by the website Bleeping Computer that specialises in reporting about ransomware.
iTWire wrote to Artech on Sunday, seeking further information about the January breach but has not heard back as yet. [A partial screenshot of the list of data files leaked after the second breach can be seen below].
In the notice sent to customers, Artech's Eric Szoke said that the company had been told of unusual activity on a user's account and found that ransomware had been deployed on certain systems.
A review was then conducted and completed around 25 June, Szoke wrote, adding that some of the files that were tampered with contained information relevant to the person addressed in the notice.
Bleeping Computer said it had been aware of the leak on 11 January when the REvil gang leaked 337MB of files said to have been stolen from Artech's servers.
In a second notice, dated 4 September, Artech detailed the kind of information that had been stolen.
"The investigation determined that at the time of the incident the involved files may have contained information including name, Social Security number, medical information, health insurance information, financial information, payment card information, driver’s license/state identification number, government-issued identification number, passport number, visa number, electronic/digital signature, username and password information," it said.
A private firm, Artech says it had annual revenue of US$810 million in 2019. It has more than 10,500 employees and consultants across 40 US states, Canada, India, and China and has its headquarters in New Jersey.
Contacted for comment. iTWire's regular commentator on ransomware attacks, Brett Callow, who works for the New Zealand-headquartered security firm Emsisoft, said: "In cases like this, the second attack may or may not be related to the initial attack. The company could have simply had very bad luck ('To lose one parent, Mr. Worthing......').
"Or it could be the case that the initial attacker installed a backdoor enabled the second attack. The fact that different ransomware was used in each attack does not eliminate this possibility. Both REvil and Maze operate on an affiliate basis and the affiliates - which will typically own backdoors - may work for multiple groups."