Blog

Balancing Incident Disclosure and Tactical Response: Lessons from the Halliburton Breach

BY Eldon Sprickerhoff

September 10, 2024 | 4 MINS READ

Attacks/Breaches

Ransomware

Regulatory Compliance

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

On August 22, 2024, global multinational energy firm Halliburton disclosed through an 8-K form filing to the Securities and Exchange Commission (SEC) that they were working with law enforcement to determine the extent of a successful computer systems breach conducted by an unauthorized third party.

The breach is believed to be linked to the RansomHub ransomware group, though Halliburton has not confirmed a ransom demand. Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the HHS, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have published a joint advisory detailing RansomHub attacks.

Initially, minimal details were shared, but it has since been confirmed that data was accessed and exfiltrated from Halliburton’s systems during the cyberattack. Discovered on August 21, 2024, this breach resulted in service disruptions to portions of the company’s business applications and corporate systems, prompting Halliburton to take certain systems offline as a containment measure.

They also disclosed that they were continuing their investigation to determine an assessment of materiality, and that some staff were asked not to connect to internal networks.

That said, Halliburton has not disclosed the initial vector of the attack, and to date it does not appear that any ransomware gang has claimed responsibility for this incident. As such, any statement that ransomware was involved is speculative at best.

Upon disclosure, their stock (NYSE: HAL) briefly dipped but quickly regained its previous levels. It appears that the broader market did not perceive this incident as materially significant to the company’s overall performance. Moreover, the U.S. Department of Energy (DOE) disclosed that this incident had not impacted any energy services.

I would like to pose this statement: Halliburton undoubtedly is the target for at least hundreds of thousands of attacks every quarter – the fact that one reached a level of success is not entirely surprising. It is not possible to proactively stop every single attack, especially at this size of company, its very nature of geographic diversity, and employee base.

The initial vector is likely a subset of the “usual suspects”: a social engineering attack (or leaked) credentials, a “clicked” URL or “opened” infected attachment, an unpatched system, or a zero-day vulnerability in an external system.

So, what now?

The Halliburton breach underscores a critical dilemma that many organizations face: balancing the legal and strategic imperatives of disclosure with the need for a measured tactical response. On one hand, companies are legally required to report significant breaches, particularly when sensitive data or financial performance may be impacted. On the other, there’s a need to manage the situation carefully to prevent further damage, both operationally and reputationally.

Moreover, disclosing too early or too late carries legal risks. Early disclosure can trigger panic or stock volatility (as seen with Halliburton’s brief stock dip), while delayed reporting could lead to accusations of negligence or regulatory penalties. Halliburton’s decision to disclose the breach early but limit the specifics demonstrates an effort to thread this needle carefully.

Halliburton’s response has included activating a cyber incident response plan, notifying law enforcement, and collaborating with external experts to investigate and remediate the breach. It appears that Halliburton has fulfilled the letter of the law by informing the market of its current situation. It is critical from a fiduciary duty that they clearly inform the broader market that there has been an incident – to register this fact – and that they are working on it.

Companies like Halliburton, which handle sensitive data and operate complex, geographically dispersed systems, must continuously invest in advanced detection and response capabilities to mitigate both IT and operational technology (OT) risks.

Since the DOE stated that there has been no impact to their delivery of energy, it hints that there was minimal entry (if any) or impact to Halliburton’s OT side, and that this might simply be contained to the (still significant though not as operationally dire) IT side of the business.

I have no doubt that further details will be entailed during the next shareholders meeting and that further 8-K filings should be anticipated.

General Schwarzkopf once said, “The more you sweat in peace, the less you bleed in war.”

If anything, this incident highlights the increasing risks faced by critical infrastructure sectors and underscores the importance of maintaining robust operational resilience, including tactical preparation for the eventual cybersecurity attack.

To learn more about how you can protect your organization from modern ransomware attacks and prevent business disruption, connect with an eSentire cybersecurity specialist today.

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Advisor

Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.

Read the Latest from eSentire