What happened?
The Insured became aware of a cyber incident when a Threat Actor used the receptionist email account to send a ransom note to all staff.
The attacker had gained access to the account through a vulnerable server. In the email, it was claimed that all of the Insured’s data had been exfiltrated. The Insured found that its virtual machines had been deleted. The Insured maintained good backups. The following day, the Insured informed APRA and the ACSC.
As soon as the Emergence Incident Response team was contacted it rapidly harnessed our forensics and legal experts to resolve the matter and respond to regulatory requirements and concerns. We were able to save the client hundreds of thousands of costs and expenses the client would have incurred as a result of the cyber incident.
How did the team assist in the incident response?
Late on Friday afternoon, the day after becoming aware of the cyber incident, the Insured contacted the Emergence Hotline. Forensics and legal experts were retained and a conference call was held within 30 minutes. A central concern was the potential exfiltration of personal information related to customers and staff, including Tax File Numbers. Steps were agreed to ensure the incident was contained and that the Threat Actor had no persistence in the environment. Additional monitoring and response were deployed.
Following direction from APRA, a general notification was sent to the fund’s 200,000 members alerting them to the incident. In parallel, the Insured also notified the Office of the Australian Information Commissioner, who exercised its power to share information with other regulators. As a result, we coordinated information requests from many Government agencies including APRA, ASIC. and the ACCC.
We were able to return the business to full operation using the good backups, while preserving evidence for the forensics investigation. It was confirmed that 66 GB of data had been exfiltrated, out of a possible 4.6 TB held on the Insured’s accessed servers. We negotiated with the Threat Actor to receive a file tree of exfiltrated data, and used this to conduct discovery on those files to determine affected individuals and the types of information that had been exposed in the breach. Roughly 100,000 individuals were notified, and an independent helpline and website was set up to assist affected individuals in minimising harm from the incident.
How was this incident covered?
The incident involved a cyber extortion in the Insured’s business, which triggered Section C of the policy – Cyber Event Response Costs. Section C covers reasonable costs to respond to the incident including:
- data securing costs to forensically investigate and secure the Insured’s IT environment
- cyber extortion costs to engage a ransom negotiator (the ransom was not paid for this claim)
- external management costs to assist with crisis management
- data restoration costs to restore data and programs that were encrypted
- public relations costs to handle communications with key stakeholders, members and the media
- notification costs to engage a legal vendor to provide advice on and notify affected individuals and relevant government authorities
- credit and identity monitoring costs to assist affected individuals
- identity theft response costs to re-establish essential records of affected individuals
There were a significant number of vendors required to be engaged by both the Insured and Emergence in order to respond to this incident. The scope of policy cover ensured these costs were able to be covered or reimbursed under the policy.
What are the cyber risk exposures and vulnerabilities that led to this incident, and what can be learned from it?
Two significant failures by third-party suppliers resulted in the incident. Firstly, the managed service provider failed to patch the Voice-Over-the-Internet-Protocol server, which had a vulnerability exploited to perpetrate the attack. Secondly, the Security Operations Centre monitoring the Insured’s IT infrastructure failed to respond appropriately to an alert triggered by the Threat Actor’s activity. Fortunately, the Insured had good backups which enabled a relatively quick recovery. Businesses such as the Insured should be aware of the importance of patching and decommissioning unsupported software and hardware. Additionally, strict conditional access controls should be enforced, as well as a data storage and retention policy that minimises risk.