We have advised on many cyber security crisis management and incident response matters, ranging from inside jobs and social engineering to sophisticated criminal hackers penetrating our clients' systems.
Due to the sensitive nature of cyber breaches, we have created the fictional case study below to demonstrate the incident response considerations and remedial actions an organisation could experience. The case study is inspired by real matters upon which we have advised, but is not based on one specific incident.
The Board of Directors at an international financial services organisation, headquartered in London with offices in financial centres throughout the world, including Paris, New York and Hong Kong, were considering a confidential merger offer.
On a Friday afternoon, before a three day weekend, the CIO received a ransom email from an unknown source stating they knew about the merger plans and had personal details of 150,000 customers. A sample of personal details for 500 customers was included in the ransom email as "proof". Unless a significant ransom was paid in Bitcoin they would leak the merger plans and sell the customer information. Herbert Smith Freehills was immediately engaged as legal counsel to manage and advise on the incident response and started work immediately, aided by forensic computer specialists, to assess and contain the threat.
The first step was to validate the threat. We found a discussion on a hacker site in the dark-net that revealed personal information of 150,000 account holders of our client was available for sale, with the same 500 customers' details provided as a "sample".
At the same time, and within a few hours, we had also preserved the relevant server logs and quickly identified and neutralised malware found on our client's network. During that time we had to assume that internal communications were subject to eavesdropping so secure channels were used between the client, lawyers and forensic investigators.
A careful review of the sample compromised data ensued to confirm if in fact sensitive personal information of our client's customer base had indeed been taken. Due to the international nature of this investigation we were careful not to export data across borders without appropriate safeguards in place e.g. the US is not a safe harbour for the purposes of the EU data protection regime unless the entities concerned were signed up to the US Department of Commerce Safe Harbour Scheme. The investigations confirmed that the information for the 500 customers was genuine. Server logs revealed that it had been extracted a few days' earlier. In this case, fortunately, it was only UK customers that were affected. However, scrutiny of the server logs revealed no evidence that 150,000 customers' details had been taken: the evidence pointed only to the 500 customers' details attached to the original ransom email having been taken.
Consideration was therefore given to whether or not the hackers were actually bluffing, both as to the suggestion that they had 150,000 customers' details but also as to the merger plans. There had been speculation in the press anyway about the potential deal, and there was no evidence from a forensic scrutiny of our client's systems that e-mail or other sensitive documents had actually been accessed.
Reporting and communications
As there were various offences being committed not least Computer Misuse Act offences and blackmail, we reported to the police and to Action Fraud in the UK. Guidance was also sought from the National Cyber Crime Unit and CERT-UK (National Computer Emergency Response Team).
CERT-UK advised that, in fact, one other company had been targeted with a similar demand and that reference had been made there to merger plans even though nothing was being considered for that company - in other words, there was a possibility that the hackers had mentioned merger plans without actually knowing there were any, but instead just on the off-chance that there might be.
With this in mind, the decision was made not to pay the ransom and to ride out the storm. However, it was still necessary to deal with the 500 customers' details that had been published.
We considered the need to notify the data subjects whose data had been compromised. The data involved was the customers' names, physical home addresses, e-mail address, home phone number and dates of birth. This data is of extremely high utility to hackers: the opportunity for identity theft or social engineering based attacks was significant. This risk could be reduced by informing the data subjects and so it was agreed that the data subjects should be notified and given practical guidance on how to reduce the risk of identity fraud. Prior to sending out the notification e-mails, the bank's customer service line was briefed on the situation so they could deal with queries, but also briefed to be on the lookout for social engineering attacks using the information (such as people phoning up pretending to be customers). A press briefing was also prepared. It was also in practice necessary to notify both the Information Commissioner's Office and the Financial Conduct Authority, and this was done within 24 hours of receiving the original ransom e-mail, and before notifying the affected data subjects.
Careful management of communications needed to be maintained throughout the investigation - not just at the start. The key was to be transparent: the press release would be scrutinised by security professionals, the regulators and the data subjects themselves so we ensured that the message was right from a technical, legal and commercial point of view. Data breaches evolve as further facts come to light so we also ensured that the relevant parties were kept up to date and provided advice to affected customers to increase their online security.
We were also mindful, in the context of the merger deal, that there would be due diligence issues as well as questions around cyber security that may devalue the company, so we facilitated a discussion with the Board of Directors and the prospective purchaser to settle any anxiety. In practice, there was a risk of a fine both from the ICO and the FCA, so the purchaser demanded that a sufficient sum to cover the likely fine was placed in escrow.
Since the incident had been notified to the ICO and FCA, a formal investigation followed into what had gone wrong, why, and what should be done to remedy the bank's procedures and processes (both human and technical) to prevent it happening again. It was necessary to report to the regulators on all of this, and these considerations would be taken into account in assessing any monetary penalty notice or fine.
Our investigation revealed that our client was compromised through a combination of human error, insufficient procedures and processes, and technical vulnerabilities in their IT systems.
The CEO of the financial services organisation maintained a high public profile, supporting various charities and speaking at industry-leading conferences. Her travels and conference appearances were publicised on the client's website, and without anyone’s knowledge, in even far greater detail in the social media accounts of her teenage daughter.
We discovered that information about the CEO was used to construct an email that was received by her Executive Assistant (the "EA"). The email appeared to be from the sponsor of a recent conference with an attachment that was described as an expense reporting form. The EA opened the email and downloaded the expense form. The form contained malware that created an administrative level account. Once inside the system, the intruders had unfettered access to our client's entire network, including the customer database, documents and e-mails. The hackers had gone straight for the customer database and had sought to extract customer details. However, the client's firewalls and other security measures (such as rate-limiting), and some scheduled downtime of the systems concerned, had presented challenges for the hackers when trying to remove a significant volume of information quickly. The client's intrusion detection system had also logged the events and had triggered an alert, but no one had acted on it because it had happened at the weekend.
Remediation and lessons learned
We advised the bank on the measures it should take to remedy the various deficiencies in its systems and processes. As part of the remediation stage we recommended that their day to day network be segregated from the network storing sensitive personal information and financial systems. We also worked closely with our client to improve their policies, procedures, and employee awareness programmes to increase their cyber maturity.
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2020