It is unclear at this moment whether the whole NVIDIA network was compromised and how the attackers managed to gain access to the database containing employee usernames and passwords, or if the passwords were stored in a secure manner. After noticing the intrusion into the network, the system administration deployed security upgrades in order to prevent future intrusions. In a letter to the affected employees (PDF), the CIO of NVIDIA has asked them to reset their passwords. Though NVIDIA has not given any statement save this letter to the employees, indications are that details of more than 500 employees may have been exposed to the attackers. The letter, link of which is given above, was written to the employees on 17th December, 2014 and, as per the provisions of California Civil Code, NVIDIA also informed the Office of Attorney General regarding the data breach. The California Civil Code states that if unencrypted personal information has been exposed to an unauthorized actor during a security incident; which includes email addresses in combination with passwords that could facilitate unfettered access to an online account, the victim company shall have to notify the Office of the Attorney General. The letter to the employees, signed by NVIDIA Chief Information Officer Bob Worrall, also asks the employees to enact some measures for keeping data safe on the network. In addition Worrall has also asked all the affected employees to monitor their bank accounts, credit card statements and credit reports for any unusual entries. If they detect any unusual entries or have any suspicions of identity theft or fraud, Worrall has asked them to notify the same to the local police, the state’s Attorney General’s office, or the Federal Trade Commission (FTC). The letter also asks the employees to be alert to phishing mails and change their passwords regularly.
