Cybersecurity Incident Update
Updated May 21st
Updated May 21st
On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems. The incident is fully contained. We have not detected any new unauthorized activity in our network since April 27, and we continue to see no signs of lateral movement outside of our environment. We have engaged third-party subject matter experts to support our investigation and remediation process. We are pleased to report that services are returning online progressively and in alignment with strict security validation protocols.
We will provide updates on this webpage as appropriate.
1. What happened?
On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to our systems, as well as to Hitachi Vantara Manufacturing.
2. When did you learn about this incident?
We identified suspicious activity on April 26, 2025.
3. Is the incident contained?
The incident is fully contained. There has been no detected threat actor activity since April 27, verified through continuous enhanced monitoring by our internal teams. We continue to implement measures to ensure containment and strengthen our security posture to prevent future incidents.
Furthermore, we have no evidence that the threat actor moved laterally from our environment to any external systems.
4. What did Hitachi Vantara do in response?
As soon as we detected suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. We also proactively took our servers offline in order to contain the incident.
Proactively taking our servers offline was key to containing the impact.
We continue to implement measures to ensure containment and strengthen our security posture to prevent future incidents.
5. What specific platforms/products/services are impacted by this incident?
Self-hosted customers can continue to access their data as normal, and can submit support cases through the Support Connect portal. Hitachi Remote Ops monitoring and alerting capabilities for Hitachi Block, Object, File, Server and Network Products were restored as of May 6, 2025. Alerting and monitoring capabilities for all other Hitachi Vantara products and third-party products that Hitachi Vantara supports will become operational as our team continues to make significant progress on the restoration with support of external experts.
Importantly, all restored systems have undergone thorough scanning using Cortex XDR and Endpoint Detection and Response (EDR) tools, updated with the latest Indicators of Compromise (IoCs).
6. Is my organization’s data impacted?
At this time, we have no indication that data from customer-operated or customer-owned systems has been compromised. If that determination changes, we will provide notification in accordance with our obligations.
7. When will I receive additional information about this?
We will continue to provide proactive updates to our customers as we have new information to share on the progress of our investigation and restoration.
8. Are normal support channels available?
We are pleased to report that services are returning online progressively and in alignment with strict security validation protocols.
Support Connect access has been restored as of May 12, 2025, and customers can resume submitting support cases through the portal. Hitachi Remote Ops (HRO) monitoring and alerting capabilities for Hitachi Block, Object, File, Server and Network Products were restored as of May 6, 2025.
9. What about partners?
Support Connect access has been restored as of May 12, 2025. Partners can open a support case through the portal as usual.