Schneider Electric Sustainability Division hit by major ransomware attack

What we know

This week Schneider Electric's Sustainability Division was targeted by Cactus ransomware, causing their sustainability services to be offline for nearly a week. Cactus has been active since 2023 and typically gains access to victim networks through vulnerable VPN gateways, but their method of intrusion in this instance in not yet known. Stolen credentials, phishing or exploiting known vulnerabilities are all possibilities.

The content of the stolen data is also unknown, but based on the Sustainability Division, which offers consulting services and renewable energy software solutions, the data is likely to include client information including sensitive information regarding customers' power usage, industrial control and automation systems, and compliance with environmental and energy regulations. Their client base includes large enterprises such as Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart.

Why it matters

Luckily, Schneider Electric’s network is segmented in that the ransomware attack was contained and did not spread to other areas of the business, as far as we know. However, given the burgeoning sustainability risks that are arising from more stringent regulations, access to the data is crucial for businesses. The EU’s CSRD and the increased focus on GHG emissions more generally has meant the market for sustainability data analytics software has boomed. Scope 3 emissions that focus on supply chains will only increase demand in the future.

But the knock-on effects of the attack could expose clients to wider risks. If data is disclosed that implicates Schneider Electric’s clients in poor sustainability practices, it could open them up to reputational damage or in the worst-case scenario, shareholder activism. Therefore, businesses will be looking to contain this as much as possible and Schneider Electric will be working towards understanding what data has been stolen and what risk that may pose. For Schneider Electric’s competitors in the sustainability data analytics industry, this is a good reminder to bake cyber security into their products and services, institute good patch management and access control, and recognise the liability they may hold.