This week, it was confirmed that international law firm Jones Day had data stolen from cybercriminals and is a direct result of the wider data breach suffered by file-sharing service Accellion. The hacker, which goes by the name Clop, had uploaded much of the sensitive information on the dark web which may have included data on prominent clients like Donald Trump.
When contacted by reporters at VICE as to why they carried out the attack, the response given was “what do you think? financial of course.”
The first to notify the breach had occurred was the website DataBreach.net which posted images of the stolen files that had been posted by Clop on the Dark Web proving the attack had happened.
The attack stemmed from a zero-day vulnerability within Accellion’s legacy file-transfer system which was exploited and led to other big named companies to be impacted, including telecoms providers Optus, Singtel, and law firm Goodwin Procter LLP.
The site DataBreached.net was the first to report on the incident and published screenshots of stolen Jones Day files that the Clop group posted on the Dark Web as proof it has the goods. The group told DataBreaches.net it didn’t encrypt the files, just stole copies of information. The Clop crew also said Jones Day hasn’t responded to its requests.
Providing industry insight and advice are the following cybersecurity experts:
Martin Jartelius, CSO at Outpost24
So what we are seeing now are the effects of the Accellion intrusion from December, which has already been discussed in relation to for example Singtel and others. It’s an external file sharing solution that’s decades old, and has been used by several organizations. As we are seeing more and more data related to the breach hitting the news, other organizations that have used the services should review and prepare processes to inform any clients and any individuals for whom data has been processed on this platform. Noting that we are approaching a two month mark from when the breach likely occurred, those who suspect they may be affected should consider informing any affected data subjects at the soonest in line with current privacy legislation and not wait and hope for the best.
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre)
“Modern business is based on an ecosystem of technology providers that form a digital supply chain. Compromising a business is then a matter of identifying the weakest link and accessing the data that it has on the business and its clients. While it is traumatic for any business leader to find themselves in the press for a data breach, the incident represents an opportunity. When a breach occurs, it’s the result of an exploitable weakness in the system and ecosystem. That weakness could be an unpatched vulnerability, misconfiguration, compromised credentials, or any number of other issues – and rarely is it only a single weakness that leads to data being stolen. It’s the cyber criminals who decide the rules of their attack, and those rules are based in part upon the data they encounter and the tools available to them. Reputational damage is inevitable following a cyber-attack, and one way to rebuild trust is to be transparent about the nature of the attack, but also the tactics used. Not only does such transparency rebuild client trust, but it also can serve as a warning to other businesses who might have similar “best practices” to those that were exploited and who haven’t yet been compromised.”
Sam Curry, chief security officer at Cybereason
“Attorney client privilege is vitally important and should be respected, not just by attorneys and courts. but by anyone. A right to defence and fair trial is a critical ingredient of our society. However, the size of the leak is not as important as the substance. For instance, image files can be very large compared to text files. The same is true of audio or video for depositions. The big concern here is where did the data go and how will it be used, not how much of it there is.
It’s never a good option to pay a ransom, but it may be better than some alternatives. Are lives on the line in a hospital? Do the systems manage critical infrastructure in an energy plant? No one wants to pay, but this decision must be the victims once we rule out illegal entities and funding terrorists or banned organisations. The best solution is to not have single points of failure and to prepare ahead of time. After the fact is messy. Ransomware works. It’s where the money is. Rather than a comeback or discussion of tools, we should realise that this is the nature of crime. It will continue to grow as long as it is hugely profitable and not addressed. We need to deploy solutions that can stop it cold, we need to collaborate, we need to prepare ahead of time, or the beast will continue to get fed and keep on growing.”
Lamar Bailey, senior director of security at Tripwire:
“The old saying a chain is only as strong as its weakest link also holds true for today’s extensive supply chains. If one of the products used by an organization is exploited, it opens up the organization to breaches also. Organizations need to be using threat intelligence services to alert them on any exploits or breaches of any provider or product (hardware and software) that is in use or has access to the network. When an alert is received quickly asses if the vulnerable versions of the hardware or software are in use and take remediation actions. If a supplier was breached, access what access the supplier had in the network and what data was accessible then take actions to lock it down until remediations are in place.”
Eoin Keary, CEO and founder of Edgescan: