Perhaps not the best way to deal with a data leak
Monday, 5 August 2024
I’ve written and spoken about security many times, but usually I have been suggesting to people what they might consider doing or not doing in order to keep their data safe. Even if everyone took my advice, I would still be worried whether they were completely secure because it’s a continual arms race between the hackers and the large organizations that use mainframes to maintain their security and keep their data safe. New software updates are installed that might contain previously-unknown backdoors. Patches to lock those back doors aren’t always installed quickly enough, so bad actors can use them. Staff members still click on attachments to emails that trigger malware, or they click on links and receive unexpected drive-by malware on their laptops. And there are numerous other ways that the bad actors can get onto your mainframe including, probably, new ones that most of us haven’t heard of yet!
But once you have been hacked, once the bad actors have accessed your computers, exfiltrated your data, encrypted your copy of the data, and left a ransom demand, what should you do? Let’s take a look at how one company dealt with a massive loss of data. It’s been in the news, so I don’t feel I need to keep its name secret, it’s NTT Data Romania.
NTT – Nippon Telegraph and Telephone – was established as a state monopoly in 1952 to take over the Japanese telecommunications system that was being operated by AT&T. NTT was privatized in 1985 to encourage competition in the country's telecom market.
NTT Data is a Japanese multinational information technology service and consulting company that originated in 1988. It is a partly-owned subsidiary of NTT. It acquired Keane Inc in 2010 and Dell Services in 2016, and other international companies. NTT Data mainly services non-NTT Group companies. NTT Data Romania was formed in 2000.
That’s a little bit of the company’s history. So, why am I discussing it as something we could all learn from in terms of a cyberattack?
RansomHub, the ransomware group, claimed that they had exfiltrated (stolen) 230GB of sensitive data from the company during an attack that was first detected on 14 June. The bad actors set a ransom deadline of 5 July or else they would publish the data they had stolen.
So, what would your company do if it happened to you? Would you alert your chief financial officer to get ready to pay out a huge amount of money in compensation and fines? Or would you decide to keep quiet about everything? NTT DATA Romania officially denied that a ransomware attack took place. They said in a statement to Romania Journal, “No ransomware attack. While there has certainly been some suspicious activity detected relating to a legacy server, the quick response taken by our security team prevented any further damage.
“On 14th June, suspicious activity was detected by our security monitoring team on a legacy server, separate from our corporate network. We immediately activated our Incident Response protocols and rendered the entire environment completely inaccessible and inactive.
“Additional measures to mitigate any further risk and protect the data of our customers were also activated. At this time, there is no visibility that client data has been affected.
“We are conducting an in-depth investigation into the situation and take the security of our client data very seriously.”
Who, within an organization, do you think would decide to keep quiet about a ransomware attack? In this case, three internal messages were sent by the CEO, Maria Metz, on 17, 18, and 24 June. Apparently, the first message confirmed the penetration and compromise of several platforms and services, and asked employees not to come to the company's offices, because they wouldn’t be able to access the data networks. Employees were also asked not to tell anyone outside the company about this crisis, including customers, suppliers, partners, the press, or other people.
You might call me cynical, but I don’t think that plan is going to work, do you? People naturally talk – especially when everyone asks them why they’ve not gone into the office.
With what you’ve seen already, you’ll not be surprised that the company denied the severity of the situation. In response to that, the hackers posted samples of the data, which apparently includes accounting, financial planning, and internal documents of every type and purpose. There’s also personal and recruitment data, project and business data, backup files, client and financial data, as well as legal documents.
You might be thinking, “poor old NTT Data”, but NTT companies seem to be having a bad time recently. NTT West’s president Masaaki Moribayashi resigned in March, following the leak of data relating to 9.28 million customers, which became known in October last year. And now NTT Data Romania in June this year.
I guess no-one wants to publicize their failings, and organizations are the same. However, there comes a time when the optics of owning up and taking steps to remediate the problem and appease the customers whose data has been stolen seems a better approach than trying to deny anything happened and asking staff to keep silent. I’m sure any stranger standing in the middle of a local supermarket or bar could have gathered the who story quickly enough by listening to what people were chatting about.
The other thing is that if your organization is hacked and you fix the problem, and then tell every similar organization how they could be hacked and what they need to do to prevent the same problem occurring to them, you now seem like one of the good guys, don’t you think?
The NTT West hack was, it’s claimed, an inside job. If NTT Data Romania’s was also an inside job, it should make senior staff wonder about the culture within their organization, and the quality and dedication of the staff working for that organization – including in senior management. Customers of NTT Data Romania must be waiting to for their information to start turning up of the dark web, and are probably discussing with their lawyers what sort of compensation they should be demanding from the company. And at the back of their minds, they must be wondering, if NTT Data Romania is keeping quiet about something big like a data loss on this scale, what else is it not telling them?
If you need anything written, contact Trevor Eddolls at iTech-Ed.
Telephone number and street address are shown here.