German auto supply giant Continental AG says it is still investigating a cyberattack on its operations in August, adding that it will take "several more weeks" to deal with the hack.
The company updated its probe into the event in a post on its website on Dec. 12, including a timeline of the attack and the aftermath, as well as information about the ongoing investigation.
The post consists of eight questions and answers aimed primarily at its own employees. It states that, as an employer, the company is doing everything it can "to analyze and evaluate the data with regard to the possible exposure of sensitive personal data."
It is the first time since the attack became known in August that Continental has made a public announcement about the status of the investigation. The company's more than $22 billion in annual global sales includes plastic and rubber seals and other functional components.
The supplier first revealed the attack to the public in August. At the time, it said the attack had been averted.
German business newspaper Handelsblatt reported in early November that the hackers had stolen around 40 terabytes of data from the company.
The theft was said to include sensitive data from customers such as Volkswagen Group, information on supervisory board meetings and correspondence from Chief Controller Wolfgang Reitzle.
Active and former employees were also affected, according to the report.
A list of the stolen data published by the hackers on the darknet suggests that personal data such as salary letters, ID cards, job application letters and birth certificates fell into the hands of the cybercriminals.
Continental said it is still unable to specify with the consequences will be "for potentially affected employees and other reference groups of the company" due to the ongoing investigation.
The FBI is also involved in the investigation.
Continental did not provide any information on the possible economic consequences in the statement.
The reason for the lengthy internal investigations is partly due to the extent of the data leak.
The company must analyze more than 55 million file entries from the list in the darknet.
Another complicating factor are the data protection considerations the audit must take, including the General Data Protection Regulation (GDPR), which stipulates companies must inform those affected by data leaks if there is a "high risk to personal rights and freedoms."
The attackers gained access to Continental's systems "by means of a disguised malware" that had been executed by a single employee.
The cybercriminals initially demanded $50 million for the data set but have since lowered the price to $40 million.
Continental, based in Hanover, Germany, ranks No. 8 on the Automotive News Europe list of top 100 global suppliers, with 2021 sales to automakers of $22.4 billion.