When it comes to a cyberattack, the impact might not be immediately noticeable. In fact, that’s what a lot of hackers rely on to gain access to IT networks and systems, slowly but surely gathering all the data they need to make it difficult for your company to operate.
Alex works in the marketing team at mid-tier food manufacturer, Foodiez, and clicked on an email link that appeared to come through from the company’s CRM system. After entering his log in details, he was surprised to be met with no notifications. Brushing it off, Alex assumed one of his colleagues got to the request first. That was 15 weeks ago…
9:15am – could this be?!
Harry, Foodiez’s IT manager, is checking emails and spots one that makes his stomach churn.
“We have it. Your data. Don’t you want it back?”
Alongside this, there is a complete customer record – one of Foodiez’s biggest clients, with a full order history and transaction and bank account details going back years. Harry hopes that this is an elaborate prank, but can’t be sure. He calls in the Kyle, the Operations Director.
11:30am – unfortunately, it really could be
Kyle and Harry are caught up in an argument by the time Michael from legal turns up.
“C’mon mate, you of all people should know better. You sat and told us how to avoid these damn things!” Kyle vents. “It could have been anyone, at any time, with any log in details” retorts Harry, but he can tell no one’s believing him.
Michael chips in: “How can this data just be sitting there, shouldn’t it be encrypted or something?” Harry explains that, despite the multiple emails back and forth, not a huge amount was really done when GDPR came into force. However, before the buck can be passed around further, Kyle’s computer pings. It’s another email.
“£20,000 in Bitcoin to this address by 23:59BST or else you can say goodbye to everything you’ve ever worked for….”
1:30pm – what do we need to do…?
Customer data is now appearing on ReviewBoard, a site for sharing text and source codes. “This is an absolute disaster” says Michael. “What does our data breach policy say? What’re we meant to do?”
He’s met with silence. “Weren’t you meant to do that?” quips Kyle. It’s not the time for buck passing, so they decide to shut down the Foodiez site. It’s the only way to prevent more customers from having their data accessed. Alex isn’t happy about it as his team has just launched a campaign this morning, so more arguing ensues.
4:10pm – time to act
“We need to put a press release out there, let people know what’s happened” says Michael. Alex stresses that this couldn’t be a worse idea: “What would possess you to say that? We need to tell our customers directly, not the entire world! We don’t even know how much data has been affected!”
Conveniently, the company’s MD Tom is on holiday in Antigua. Needless to say, he’s not impressed and is totally confused – was there a breach? When did it happen? Where is the policy he requested legal to draw up?
Everyone draws a blank. Harry has spent the majority of his day working with the company’s IT provider to find out how this breach happened. Eventually, they find out the malware entered the system through an email Alex opened. But there’s something wrong with the dates…
It turns out that Alex opened the email months before IT rolled out the new awareness and training programme. “Too little, too damn late!” exclaims Kyle, “I knew we’d get caught with our trousers around our ankles with stuff like this.”
“Call the ICO” says a voice in the middle of the room. Turns out, they’d all forgotten that Tom was on speakerphone. “Hold your horses, we need to get a plan together” adds Harry. “We need to tell the ICO what we’ve done to mitigate the damage here, but we don’t even know how much damage has been caused….”
So, could you have handled this scenario better?
Foodiez clearly had some issues to resolve, but what could they have done prior to and during the attack?
- Being reactive puts your organisation a step behind the attackers. You need to move quickly in these situations
- Being vulnerable didn’t help Foodiez. There was no data breach policy, they didn’t know who was responsible for what and they spent too much time arguing at a time where they needed action the most
- Assess how many devices have been infected and get them offline
- Call the Information Commissioner’s Office and let them know what you discovered and how you mitigated its effects
- Preparing a statement for customers is an excellent idea but think about how you usually communicate them. Posting the statement on social media may seem like a good idea to the SMT, but marketing may want to contain and track the message. Work together to find a solution that supports your business
- Preparing a data breach policy and procedure gives your company the opportunity to iron out any kinks before you need to enact it. Regularly review it and see how you could improve processes with automation, additional IT services or more information within the organisation
- Never blindly pay a ransom until you’ve consulted your IT specialist and legal team. The attacker ended up posting customer data online anyway, so you clearly know they can’t be trusted and you don’t know if you’ll ever get your data back
- Call on your IT and insurance partners. Blame and responsibility can be decided at a later date; the future of your company cannot
We hope this scenario has shown you how a potential threat can turn into considerable damage for a business.
We’re hosting a security conference on Thursday 11th October at Silverstone Circuit. To find out more and book your free place, visit the Security Lab.