Do you know your vendor’s vendor?
It’s a scary thought, but it’s true: no one is safe in terms of cyber security. Any company could become a target, including us or our suppliers, in an almost brilliant and unexpected way. And that’s what just happened!
In the second week of June 2024, our accountant, a Dutch company that offers Microsoft 365 solutions for businesses, let us know that one of their vendors had been attacked by ransomware. This is a malicious software that gains access to your application, steals its data and demands a ransom to recover it. Companies keep their data safe by means of secured backups that are physically located elsewhere, which is a great way to avoid their backups also being stolen.
To find out what the potential impact could be for us, we dug a bit deeper into the hack. And read once more the accountant’s email. One paragraph caught our attention:
“…It is currently not clear what data was present on this network disk. In the unlikely event that the investigation reveals that, for example, your organisation’s personal data was present on the disk, we will of course inform you of this without delay (in accordance with the Processor Agreement) via a separate notice..”
Our accountant says they don’t know what data was stored on the network share. They also mention they would tell people if they found any personal information.
We wondered how they would ever get this clear. They hired external specialists for more research, which seems smart. But the first message from the affected company about the attack made us realise they shouldn’t have their hopes up. They said the ransomware encrypted “all backups and many of their large servers”.
“<COMPANY NAME> and the data centre is currently under severe attack with the very latest LockBit 3.0 encryption on all backups and many large servers.
All servers in the data centre with data are now temporarily on pause and thus unavailable.
So we are NOT reachable at the moment and will first take a good look at what the damage is and how we can mitigate it and set out actions. As the impact is huge, we will also report this here on our main page.”
The first and second updates on the hack made things even more clear. They said that backups were inaccessible or even overwritten. The experts they hired told them that these backups would “not be recoverable”.
“…The backups (see SLA) were made inaccessible or overwritten…. Specifically, all backups of many customers were made inaccessible… Recovery can therefore certainly not be guaranteed either…“
“… For example, backups are not accessible at all ‘by default’ but versions have been taken away, not accessible even offline. So that also makes the question of recovery a tricky one. Can it be done? According to all experts, the hard answer to this is rock solid: NO…“
Lastly the fourth update seems to indicate that there is a high probability that our accountant’s file share is subject to the hack:
“…Are all customers affected? – No, it concerns a group of customers where a lot of data does run on file servers and legacy environments (especially financial institutions) and, in concrete terms, concerns about 25 customers out of the hundreds that <COMPANY NAME> serves. …“
Impact
On Proteon
Based on the information that is currently available, it is impossible for us to determine the impact on our organisation. Our security officer requested more information from our accountant to know if they are one of the twenty-five financial companies that are subject to this hack and to better understand if there was any information about our company, employees or customers stored there.
On the affected company – Brand damage
This hack potentially is impactful for the affected company. Although in their communication they mention that only ‘around 25 servers of the hundreds they manage’ were affected, the negative publicity it created reflects badly on the company.
On the affected company’s customers – Data unavailability and data loss
The company’s articles show that customers couldn’t access their data for days. It’s possible the data is lost.
Prevention
Any company is a potential target
Let’s be clear: if the hackers got into the company’s systems via not yet discovered exploits, the company won’t be blamed for that. Forensic research will have to figure out when the hackers first hacked in and if the company could have caught them earlier. Any company is a potential target for hackers, and things will go wrong eventually.
Zero trust
So, how should we protect ourselves from these things? Well, it’s best not to trust anyone.
Principle of Zero Trust
Apply a strategy of ‘never trust, always verify’. Even though a company is advertising itself as being the best and offering the most safe solution, don’t believe it, assess their claims.
Assess and Spread risks
Follow the best practices:
- read the terms of service and the service level agreements of all your suppliers;
- write down the claims they make,
- assess these and;
- verify these
We know this is a bit of a hassle, but here’s an alternative: ask yourself some risk-based questions. For instance, what would happen if a certain online service wasn’t available? And what if you lost the info stored in that service? This will help you figure out how much you can trust a vendor and what extra precautions you might need.
If we look back at the case above, where a supplier was offering network shares to customers to store their files and documents, these customers could have opted for data replication to another vendor, e.g. by letting that other vendor create backups of the network share’s data.
Proteon to the rescue
We’re all about asking the right questions. We’ll help you do a risk analysis to make sure you only get the components you really need to be resilient. And if you want to go the extra mile, we’re happy to look over and test your vendor’s ToS and SLAs to make sure you get what you paid for.
Just a heads-up: the information and story above are based on what we’ve seen on our account and what the affected company has said on their own website. We haven’t spoken to the affected company directly.