Ransomware Attack on ENGlobal Highlights Growing Cybersecurity Risks for Critical Infrastructure

ENGlobal, an American energy contractor specializing in engineering and construction services for critical infrastructure sectors, experienced a significant ransomware attack in late November.

The breach disrupted its IT systems and prompted an ongoing investigation and remediation process. Jessica Lyons reports in The Register that ENGlobal disclosed the incident in an SEC filing, stating that an investigation revealed they had “illegally accessed the company’s IT system and encrypted some of its data files.”

The data theft has important ramifications for national security because the company’s customers include high-profile entities like the US Department of Defense and the Department of Energy.

Ransomware attacks have increasingly targeted organizations managing critical infrastructure due to their reliance on uninterrupted operations and the sensitive nature of their data. ENGlobal’s clientele and services make it a lucrative target for cybercriminals seeking ransom payments.

The company’s role in providing services to sectors such as energy, defense, and automation underscores its strategic importance and vulnerability. The broader context of these attacks includes recent incidents against healthcare institutions and utility providers in the US and UK.

ENGlobal detected unauthorized access to its IT systems on November 25, when attackers encrypted portions of its data. In response, the company initiated containment measures, engaged cybersecurity experts, and limited system access to essential operations.

The full scope of the breach remains unclear, and ENGlobal has not disclosed whether the incident will significantly affect its finances or business continuity. Notably, ENGlobal generated $39 million in revenue last year, underscoring the potential economic stakes of such cyberattacks.

Lawyers advising critical infrastructure clients must provide strategic guidance to navigate regulatory scrutiny, contractual obligations, and potential litigation stemming from data breaches.