Cyber team helps global company retrieve stolen data

With important information exposed, Clyde & Co’s Ian Birdsey charts how a coordinated lawyer-led breach response process rescued the situation.

Problem

To have a company’s precious, important, and secret information stolen is bad enough, but for it then to be used against it in a cyber extortion attack is doubly troubling. This was the unfortunate situation a large global company found itself in. 

After compromising just one employee’s laptop, an attacker, over a period of months, was able – through malware and key logging software – to capture system credentials that enabled access to the company’s entire estate, including all file servers. This allowed the cyber-criminal to extract a colossal amount of the company’s most precious and commercially sensitive information, literally millions of documents. 

Rich personal data, valuable customer data, sensitive staff data and key supply chain information were all taken. When the extraction was complete, the blackmailer wrote to the company’s CEO, explained the situation, and demanded a multi-million pound ransom be paid to prevent its disclosure and for its safe return. 

Solution

But this attacker had met its match and the company rose to the challenge, refusing to pay the extortion demand. Instead, they decided to send a broadside of their own, in the form of an international coordinated legal response. Ian Birdsey, cyber specialist at Clyde & Co, led the response team that came to the rescue. 

“We have a playbook of how to respond, gathered from thousands of cyber breaches, and employ legal project management methodologies to ensure everything gets done, on time, in a coordinated manner, and information is properly recorded. Everything that we could do in a breach response process in this instance we did do."

“We notified tens of thousands of affected people in over 100 jurisdictions,” Ian continues. “We set up multilingual call centres to field queries, offered credit monitoring, coordinated local law firms and informed the relevant regulators – data protection, financial, industry, etc. Due to it being a public company and the extortion sums involved, we worked with the highest levels of law enforcement authorities in the UK and the US. We also hired a PR firm, gave the affected company’s executives media training and dealt with post-notification complaints and claims. We created the breach narrative, and then took control of the story in the media, which were generally supportive of the hacked company’s refusal to bow to extortion.”

Outcome

Remarkably, the coordinated and rapid efforts taken by Ian Birdsey and his team of cyber experts helped identify a few mistakes the attacker had made. 

With the criminal sensing that the game was up they tried to post links to the data on social media. To thwart this Ian and his team were granted one of the first cyber injunctions in the UK. So, as the attacker posted links on social media, the injunction could be served on various social media platform providers, insisting that they pull the posts down. 

“While this game of whack-a-mole  was going on we used an IT forensics provider to track the attacker’s activity from the UK to Asia-Pac and onto the Middle East, before returning eventually to Europe,” says Ian. “It was here that – remarkably – we discovered all the stolen information in a data centre, where an injunction was threatened and the data subsequently deleted. The law enforcement authorities were amazed!”

With cyber criminals seemingly one step ahead of companies' efforts to fend them off, companies are unlikely to be criticized for having their first breach, but they will be mauled if they don’t manage it properly – or if they don’t learn their lessons and go on to have a second breach. Fortunately, in this situation the data was recovered, and the reputational impact was minimal. The client even received praise in the market and from customers for its approach.