Latest News

As hackers issue ultimatum to employers affected by payroll cyberattack, how should they react?

The BBC is reporting that a cybercriminal group, believed to be operating from Russia, has issued a warning to prominent British companies such as British Airways, the BBC and other large organisations after a recent significant cyberattack on payroll services provider Zellis compromised banking and payroll data for potentially 100,000 staff.  Zellis admitted it’s MOVEit installation had been exploited by the hacking group.

The group, known as Clop, communicated the threat in a fragmented form of English on the dark web, demanding that these companies email them before June 14, or else stolen data will be released.

So what action should affected employers take?  We spoke to leading experts for their advice.

Jim Tiller, CISO at Nash Squared, a global technology and talent provider, advises:

“Any organisation that has used MOVEit must assume their data is in the wrong hands.

 These organisations need to urgently review and categorise all their information assets that are likely to have been stolen to understand what represents the greatest threat to extortion and prioritise accordingly. From there it’s about assessing the risks associated with the exposure of the information, not only to the company but its clients, partners, affiliates and with those where information was exchanged. Without these critical steps responding to ransom demands and determining a course of action will be reactive and ineffective.

 Organisations need to not only come to grips with dealing with ransom demands, but also recognise that there is no way to ensure the criminals don’t publish the information even when paid. Moreover, multiple organsations – at least two, the sender and receiver – will likely be extorted for the same information. Therefore, even if one company pays, they may still fall victim if the other does not.

Unfortunately, this is clearly representative of some of the inherent risks with multi-tenant environments and, in this case, may not be covered by cyber insurance policies for that very reason. Many insurers will have clauses that are very similar to acts of God or mass events that exclude such attacks from coverage. Therefore, if companies haven’t already reviewed their policy with their provider, they need to as soon as possible.”

 

Leading data breach lawyer, Kingsley Hayes, Head of Data and Privacy Litigation at Keller Postman UK, adds:

“While ransomware attacks are becoming ever more frequent, it is unusual for cybercriminals to demand that victims get in touch with them to begin negotiations. With many points of failure in this breach, it’s unclear whether Clop wants Zellis, MOVEit, or its affected clients to contact them.

“We would never advise any victim of a data breach to enter into discussions with cybercriminals. Not least because, by the time data is in the hands of bad faith actors, it’s simply too late to keep it safe. We would advise all affected organisations take immediate steps to tighten up their data security practices, and to make sure their employees are kept fully informed about what is happening.

“Such measures are vital, because if your organisation handed personal data to a third party, then this data – and the safety of those it belongs to – remains your responsibility. This is the case regardless of who was breached. To the victims we would advise staying alert to calls and messages that maybe seeking to extort money or further information; your data is highly valuable in the wrong hands.

 

Sylvain Cortes, VP Strategy and 17x Microsoft MVP, Hackuity, calls for remediation but long term tackling of vulnerabilies

“Avalanches start rather unspectacularly. That changes when the BBC, British Airways, and Nova Scotia’s government are hit. Microsoft suspects the Clop ransomware group is behind recent attacks. We suspect organisations need stronger preventative measures to mitigate these last-second scrambles. Today’s priority is absolutely remediation. Tomorrow’s must be prioritising these vulnerabilities before CISA issues mandates.”

 

Richard Walters, CTO of British cybersecurity firm, Censornet warned that companies need to improve their cyber alert systems:  

 

“This cyber incident has the potential to fly right across UK industry. 

 

“One of the organisation’s impacted by the cyber incident processes the salaries of approximately 5 million employees each month, and a third of the FTSE 100. Meaning the race is on for those organisations to ensure they have their checks and balances in place to protect their data. To do this, they must ensure they have full visibility over the security of their third-party software relationships.   

 

“Cyber-attacks have the potential to quickly cascade across operational supply chains impacting organisations of all sizes. It is not just the large organisations that will be impacted - 26% of SMBs have lost data due to a cyber-attack in the last 12 months.  

 

“Organisations must be able to spot unusual and suspicious behaviour.  Now the cloud is a big part of our infrastructure – organisations need to be able to stop any attack, wherever it starts, and wherever it goes.”