Boat dealer MarineMax has confirmed that a recent ransomware attack resulted in a data breach impacting customers and employees.
The company disclosed the incident in a regulatory filing on March 10, when it admitted that the attack caused some disruption and involved unauthorized access to some of its IT systems. However, MarineMax said at the time that the breached environment did not store any sensitive data.
Roughly 10 days later, the Rhysida ransomware group took credit for the attack and launched an auction for data allegedly stolen from the company.
In a new SEC filing dated April 1, MarineMax said its investigation into the incident is ongoing, but it confirmed that the cybercriminals did exfiltrate ‘limited data’ from its systems, including customer and employee information. The compromised data includes personally identifiable information, the firm said.
Impacted individuals will be notified and MarineMax has also informed law enforcement and regulatory agencies.
“The Company has incurred, and may continue to incur, certain expenses related to its response to this Incident. Further, the Company remains subject to risks and uncertainties as a result of the Incident,” MarineMax said in its latest SEC filing.
It added, “While the Company is continuing to evaluate the full scope and impact of the Incident, as of the date of this filing, the Incident has not had a material impact on the Company’s operations, and the Company is still in the process of determining whether the Incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
On its leak website, the Rhysida ransomware group is apparently trying to auction the data stolen from MarineMax, with a starting price of 15 bitcoin (roughly $1 million). While the amount may seem high, the threat actors likely set this price due to MarineMax being one of the world’s largest retailers of recreational yachts and boats. The company has nearly 4,000 employees and it recently reported a quarterly revenue of more than $500 million.
Several screenshots published in an attempt to demonstrate their claims appear to show that they have stolen driver’s license and passport copies, financial documents, and internally used spreadsheets. A file tree made public by the ransomware group lists 180,000 files seemingly taken from MarineMax systems.
While the file tree appears legitimate, with hundreds of file names that include the string ‘MarineMax’, it’s not uncommon for cybercriminals to exaggerate their claims or fabricate data to increase their chances of getting paid.
The Rhysida ransomware group emerged in May 2023 and it has targeted organizations in various sectors, including government, IT, manufacturing, healthcare, and education. One of its victims is the British Library, which recently shared details on the destructive attack.
The US government issued an advisory for Rhysida in November 2023. The cybercriminals not only steal data from victims but also encrypt files stored on compromised systems. It’s unclear if the hackers encrypted files in the MarineMax attack or if they focused on data theft.
MarineMax has not responded to SecurityWeek’s request for additional information.
Related: Nissan Data Breach Affects 100,000 Individuals
Related: Anatomy of a BlackCat Attack Through the Eyes of Incident Response
Related: Cyberattack Disrupts Production at Varta Battery Factories