Today is Easter Monday and probably you will read this article later. Hopefully you have had a great Easter, but what if someone hacked your computer system during these days? Cyber criminals do not take office hours into account and besides that, a cyber incident always comes unexpectedly. In this article we share two claims examples where, despite the circumstances, the insured could resume its work as quickly and efficiently as possible.
The insured designs and manufactures cranes, excavators and heavy and specialised lifting equipment.
On 1 December, the insured discovered that it had been the subject of a ransomware attack. Up to 85% of its folders and documents had been encrypted. The insured called the AIG CyberEdge hotline and received incident response services from an IT forensic firm. Following advice, it decided to restore data with the back-ups. This work was finalised on 3 December.
As a result of the failure of the IT system, employees of different departments were unable to work on 1 and 2 December because they could not access the server. The insured employs approximately 300 production staff and engineers. Its main business consists of turnkey projects or engineering projects in which the use of IT equipment is essential in carrying out the work.
Up to 85% of its folders and documents had been encrypted due to a ransomware attack. Coverage was provided for the extra cost of engineering staff to guarantee the continuity of the operation and timely completion of the projects.
The engineering team stores information on the company server in order to enable sharing of information amongst employees. The engineering staff bills their chargeable hours directly to a project. The inability to perform work by the engineers during this two-day period therefore directly impacted the numbers of hours the company could bill for. It was difficult to recoup these hours at a later stage because the insured had deadlines to meet on its various projects and not meeting those deadlines would result in customers invoking penalty clauses.
Coverage was provided for the extra cost of engineering staff to guarantee the continuity of the operation and timely completion of the projects.
The insured business appeared to have been the victim of a phishing email scam, first targeting its employees and then its clientele.
The preliminary investigation into the incident revealed that an employee had clicked on a link contained in a phishing email nine months before the insured became aware of any issues, thereby exposing his mailbox to the perpetrators. At least two other employees’ email inboxes were affected when they clicked on a link in similar phishing emails they received. The perpetrators may have obtained contact information for clients by gaining access to these three inboxes.
Phising email results in 21.000 stolen email addresses of high-profile clients. Forensic IT specialists engaged on advice from AIG blocked access to the suspect URL and performed a targeted investigation of affected mailboxes determining what data was accessed. The number of stolen data records is eventually narrowed to less than 1.000
Subsequently, over the course of 12 months, and with increasing frequency, the insured received queries from clients who had received “spoofed” phishing emails claiming to be from the insured but which, in fact, were from the scammers. These emails, like the one originally received by the three employees, prompted the clients to click on a false link where they were asked to provide login credentials, payment card information and other personal information used to support the insured’s “know your customer” analysis.
Several clients who had reported receipt of this phishing email were listed on a spreadsheet found in one of the employee’s email boxes. This spreadsheet was a master list of clients, containing approximately 21,000 email addresses.
Forensic IT specialists engaged on advice from AIG blocked access to the suspect URL and performed a targeted investigation of affected mailboxes determining what data was accessed. Following a deep analysis of the data the compromise was narrowed to less than 1,000 data records. This allowed the insured to formulate a bespoke, personalised response for affected clients, many of whom were high-net-worth, high-profile individuals.
The product CyberEdge is more than just an insurance policy. It is very important to intervene in every cyber incident as quickly as possible to put the company back on its feet again. That is why it is essential that our Response Service is 24/7 available. Certainly after an extended Easter weekend, a potential damage can be exponentially bigger compared to acting upon the situation immediatly. You can read more about this topic in an upcoming article.