Alert
AL00343 - Notification of Data Breach at OSIsoft and Next Steps
2018-11-28
November 28, 2018

You may have seen a notice posted by OSIsoft in accordance with privacy norms for an internal data breach at OSIsoft. To OSIsoft’s knowledge, no customer accounts or information have been affected and this communication is primarily to provide transparency and information.

Stolen credentials were used to remotely access internal OSIsoft computers. Our security service provider recovered direct evidence of credential theft activity involving 29 computers and 135 accounts and we have concluded that all internal OSI domain accounts were affected. People with affected OSI Active Directory accounts have been notified and informed about what they should do. Note that customer accounts, such as those for the Technical Support Site and PI Square, are not affected by this incident.

Since learning of the breach, we are continuing to take steps to strengthen safeguards protecting our customers, the PI System community and OSIsoft. We have been engaged with threat detection and intelligence firms to review our systems for any unusual and unlawful activity. In this open-ended engagement, the firms will monitor activity and advise us on security strategies for the foreseeable future. We will also continue to disclose information to you per our Ethical Disclosure policy.

OSIsoft products are developed using a security development lifecycle process that includes human and automated code reviews in which products are checked for malicious code before digital signing. Based on what we have learned thus far, the attack did not affect our products or services, however, it did affect IT access safeguards. As such, we are performing a supplemental code review as an extra check to ensure the integrity our products and services.

At this time, there are no indicators of activity affecting customers and we are not recommending any action to our customers.

Security has always been and continues to be a high priority for our company and customers. We do not take incidents such as this lightly. We will strive to resolve this matter and keep you informed.

The official report can be obtained from the California State Attorney General at https://oag.ca.gov/ecrime/databreach/reports/sb24-141865. If you have concerns, we encourage you to contact OSIsoft Technical Support at techsupport@osisoft.com.