


Weak Password Allowed Hackers To Sink a 158-Year-Old Company (bbc.com) 76
An anonymous reader quotes a report from the BBC: One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP -- a Northamptonshire transport company -- is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. "We need organizations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) -- where Panorama has been given exclusive access to the team battling international ransomware gangs. A gang of hackers, known as Akira, broke into the company's system and demanded a payment to restore the data. "The hackers didn't name a price, but a specialist ransomware negotiation firm estimated the sum could be as much as 5 million pounds," reports the BBC. "KNP didn't have that kind of money. In the end all the data was lost, and the company went under."
Backup (Score:5, Insightful)
The digital world is a cat-and-mouse game, and you don't want to be the mouse.
I'm sure a small part of the estimated 5 million pound ransom would have gotten them a decent backup system. Even a "hot spare".
Re: (Score:3)
Or hardware tokens that cannot be replicated in other continents.
Re: (Score:2)
This is the one that shocks me.
Haven't hardware tokens been pretty easy to use for a while?
It should have at least required a weak password and good social engineering, and realistically even a good password falls to good social engineering (which isn't particularly relaxing news).
Re: (Score:2)
I'm guessing their IT support didn't employ anyone with actual IT expertise. Maybe it was led by the company owner's kid.
Re: (Score:2)
I'm guessing their IT support didn't employ anyone with actual IT expertise. Maybe it was led by the company owner's kid.
Ahh yes, the putting all your eggs in one basket case.
Re:Backup (Score:4, Informative)
Indeed.
My company used to do IT work for physician practices. We got an urgent call for help from a doctor one day, saying their server had crashed, and they didn't have any backups. Our tech, luckily, was able to fix the problem. The first thing he did was create a backup.
A year later, the same company called again for help. The server had crashed again. When the tech took a look, he found that the last backup was the one he had done the year before.
Some people never learn.
Re: (Score:2)
I'm sure many people on here don't floss/brush their teeth regularly. When they arrive with cavities and mouth ulcer emergencies, I'm sure their dentist too says something like "some people never learn".
Re: (Score:2)
I don't know exactly how big, but it was a physician practice big enough to run their own server. That's all that matters. If you're big enough to run your own server, you'd better take care to run your server well...and do backups. If you're not, you'd better be running your practice in the cloud.
Re: (Score:2)
Re: Backup (Score:1)
Let's get physical? Get their attention first! (Score:2)
But we are all the mice now.
However part of the real problem is with bad boys who are smart enough to encrypt the backups, too. Just a matter of patience balanced against estimating the costs of figuring out and recovering from the mess even if some old backups are safe somewhere...
I think the solution has to involve disrupting the criminals' business models. Not involve creating new cryptocurrencies for laundering the loot. Not to mention the fake-money used to crypto-bribe the corrupt politicians to keep
Re: (Score:2)
This is why you have offsite backup (Score:2)
Re: (Score:1)
Or just use OneDrive or CrashPlan or similar real-time backup system. For a lot of small companies, your suggested plan requires a lot of tech knowhow and a lot of labor.
Re: (Score:2)
This is still going to be linked to your main account. If you have access to the main IT guys' credentials, you have access to reset the password for the account for your online backup, and then just go delete those backups. You can't delete a hard drive in a fireproof safe in a secure office. Even if that data is 2,3 weeks, 1,2 months old or whatever, that's still a recoverable loss.
Re: (Score:2)
If you're root on the system you can disable 2FA or just create a new user with whatever permissions and credentials you like
Re: (Score:2)
CrashPlan and OneDrive offer additional security and DR options, for those who want them. Further, these tools don't just back up the latest copy of your files, but every revision of your files since the beginning. Worst case, you have to restore an old version.
It's true, you can't delete a hard drive in a safe. But there are lots of other risks to physical media. If you haven't actually attempted to restore your data, you don't know if you actually *can* restore your data. It might be corrupted, the backup
Re: (Score:2)
Whut? (Score:3)
Was that for legal reasons? Scruples?
Re: (Score:3)
Surely the hackers would rather take what they could get. You pay the money and do better next time, no? I'm sure something is missing from the article.
Re: (Score:2)
Yeah it seems like there must be some details we are not getting.
Now I can imagine, that the intruders did not exfil the data just ciphered it in place. In which case they don't and never had access to the internal financial records. So if you tell them 'but we aint got 5 million pounds' they might say "f*** you you're lying pay us or get f***ed" and which point nothing you can do but say "no really best we can possibly come up with N pounds" and if they gangsters won't take it well that is the end of the
Re: (Score:1)
It's not the employee (Score:5, Insightful)
Blaming the employee for the failure of the company is wrong. The company failed because they didn't have good data management or access controls. If the password was compromised due to being "weak", then the company also didn't have good password controls.
Re: (Score:2, Interesting)
It's stupid records management policy. Company records MUST be write-once ... there should be no way for anyone (including and especially the upper management or admin) to delete/modify previously created RECORDS). e.g. there should be no operational way to "delete" or "modify" existing records. If you want to "correct" an error, just write another record indicating that the previous record is wrong, etc. if you want to delete a record, write another record indicating that the older record is no more.
That's
Re: (Score:1)
there should be no operational way to "delete" or "modify" existing records.
Technically, this is very hard to do. It's much easier to set things up so there should be no operational way to "delete" or "modify" existing records without it being obvious that something out of the ordinary is going on
With the right level of access, there will be a way to copy everything from the existing media EXCEPT what you want deleted to new media. As long as this is easy to detect (say, CCTV recordings showing someone entered the server room, downed the server, removed the write-once media, use
Re:It's not the employee (Score:5, Insightful)
"Password controls" are one of these stupid IT security myths pushed by the incompetent. All passwords of regular users need to be regarded as weak. If you need more, you _must_ add 2FA. There is no major security control catalog left that does not ask for 2FA for good authentication.
Re:It's not the employee (Score:4, Funny)
Re: (Score:3)
Re: (Score:2)
The weak link were the bean counters. Unless their IT was of the CEO's nephew variety, they repeatedly asked for money for backups but had the requests refused.
Re: (Score:3)
Re: (Score:2)
Were you paid for the building's security? Or were you the person who requested that a screen door be installed instead of a solid one to reduce costs?
If you answered "yes" to either question, then you do share the blame.
Re: It's not the employee (Score:1)
Nice to see victim blaming is still strong
Was it also a woman's fault she was raped, because of the clothes she wore?
Re: It's not the employee (Score:1)
Re: It's not the employee (Score:2)
Re: It's not the employee (Score:2)
What if you weren't even aware of the possibility or locking your door, or even closing it, to help stop intruders ?
That strikes me as a better analogy.
You can't prevent all risks, but you can make it a little bit harder for attackers by taking some precautions. Leaving your entire company vulnerable to a single compromised password implies that those precautions weren't taken.
This strikes me more as incompetence than anything else, which is not surprising from a small company, that just wouldn't have prope
Wrong. (Score:5, Insightful)
Their company did not fail because of a ransomware hack.
Their company failed from not having adequate off-site backup of their data.
The cloud does absolutely nothing to protect you from needing a real disaster recovery plan, and any business that doesn't have one deserves what they plan for (or don't plan for).
Also: a backup that isn't tested is not a backup to bet your business on. Back up your shit, test your backups, and make sure there is a copy of your tested backup somewhere that a ransomware dipshit can't get to it, like LTO tapes in a closet in your office.
Re: (Score:3)
Re: (Score:2)
Without reading TFA how is cloud not off-site backup?
I would think dumping to some kinda S3 write only is more reliable than anything even a medium size company could do.
The last company I worked for we did backblaze for an S3, it couldn't be deleted or updated (versions new files). I fail to see how a company that wasn't quite large could do better on their own. Of course the big risk there is the primary backblaze account getting hacked and the whole thing killed.
Where I worked though they used RAID (mirr
Re: (Score:2)
like LTO tapes in a closet in your office.
Better yet are LTO tapes off your office.
Hacks are not the only disaster that can happen to a digital business, old fashioned physical disasters (i.e. fires, floods) will destroy your local data and your local backups as well.
No. (Score:5, Insightful)
No; a weak password did not kill this company.
Management not investing in the most basic of backup systems is what killed the company.
Companies get their systems wiped out everyday nowadays by ransomeware hackers. Then, they pull the plug on the internet, scrub the computers, and restore from a recent backup. That is management.
This is stupidity.
Re: (Score:3)
This is stupidity.
I would call it gross negligence instead, because you have to be entirely disconnected from the real world to not be aware of this threat.
So, no write-protected backups, no BCM and DR preparations, no strong authentication, and hence no ransomware preparedness. This is 100% on the decision makers that screwed up to an unbelievable degree.
Re: (Score:2)
Then, they pull the plug on the internet, scrub the computers, and restore from a recent backup. That is management.
This is stupidity.
Have any of the ransomware attacks taken the step of trashing/encrypting the backups and then waiting for some period to attack the live systems, so that restoring from a recent backup isn't an option? Most backup systems expire older backups on some schedule to avoid an unending increase in the size of their backup storage pool. So, an attacker could either destroy the backup system directly, or they could let the backup system destroy itself if they encrypted everything, but had the systems set-up to tr
Re: (Score:2)
Yeah, I totally agree, and I get an urge to puke at this lame excuse worthy of an award.
Sorry I don't buy this excuse.. (Score:2)
In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.
This would have to be the system administrator's password and even then I would say is was poor management if they had access to all.
This is a constant fight that I have with clients. Everything needs to be easy. Security is not a consideration. Then something happens and they look for answers that don't interfere with operations. Everyone else is to blame.
If the data is that important then it should have been secured behind more than one employees password.
Re: (Score:2)
This would have to be the system administrator's password
No. "Lateral movement" is a thing. In fact, it is an entirely standard thing in such an attack.
How many more stories? (Score:3)
It was unthinkable to run a company without reliable backups 25+ years ago. Today I'd call it criminal negligent. How many more stories does the CIO need before s/he make this a priority?
Just incredible how this keeps happening.
IT department did this (Score:3)
Unless the IT dept tried to implement security and proper backups and were denied, this is the IT departments fault. Some random employee with a weak password can't cause the loss of a properly implemented network.
Re: (Score:2)
And in the real world, the responsible C-levels fired anybody that was pushing for real security and replaces them with weak yes-men.
In most cases, something like this is actually the fault of the ones that hired the IT people.
Re: IT department did this (Score:2)
Or more likely IT asked for IDS, DR, security audits etc etc and that budget got nixed as costing too much
Pre-computer equivalent (Score:1)
Imagine it's 1950s or earlier. You run a business that lives or dies by paper records, such as an insurance company, land office, or something similar.
Your office burns down, taking all the data with it. You don't have off-site backups (microfilm, carbon copies, or what-not). Thankfully the fire was after-hours and nobody was hurt.
Your business is probably toast, figuratively and literally. At best, you are insured and will be able to start over from scratch, but your existing customers might prefer to
Re: (Score:2)
Reasonable lines Re:Pre-computer equivalent (Score:1)
I am reminded of the company in the World Trade Center that had off-site backups. Which they kept in the other tower.
Reasonable risk-managers only go so far. There's always the "big asteroid that goes undetected" that lands on your building during a big in-person meeting tha thas most of your company's key talent.
I don't understand insurance, then (Score:1)
The BBC article said that they followed current cybersecurity guidelines and had cyber security insurance.
What did that "insurance" provide, exactly, in this case?
Re: (Score:3)
Well, there is "following" guidelines and there is "following" them. And they may not even have done the fake version, but just told the press they did.
As to "cyber insurance", the insurance gives you what you have a contract for if you followed the conditions in that contract. "Cyber insurance" is an entirely unspecific term and can mean basically anything.
Bottom line is, they got hit, they were unprepared and they got wiped out. I see some very high likelihood of at least gross negligence in the C-levels.
Backups often won't help (Score:3)
This is if you actually have encrypted, off site and immutable backups that are worth poisoning. When was the last time you checked in your company how easy it is to infect backups?
This is why some EDR solutions have anti-ransomeware mechanisms to secure contents before or as it's being encrypted.
This is also why you might have a managed SIEM service so when dodgy stuff happens on your network it can be caught early or reacted to before everything is crypto locked.
Also there you might look at replication solutions that will help you recover by restoring only parts of the data you know is safe based on signing or last update values.
The answer is not EDR or XDR or SIEM, replication, immutable backups etc etc althought that's tempting.
The answer is proportional training and defence in depth with an incident response plan to match for when shit happens you can take appropriate action.
As a security professional it is your job to consider the realistic risk to the company, the cost of the impact should an incident occur and how to mitigate, avoid, prevent or accept that risk. Ideally at a much lower cost.
When a CEO wants to know why money should be spent, AKA what is the return on security investment this story and it's impact should not be quoted. Instead it's better to understand the relevant risk and impact to the specific business of that CEO's company.
How much could a ransomeware attack cost your business? What are the odds you'll be attacked in the next 10 years? What is the cost of mitigation per year? Should you outsource? Should you get cyber insurance? Do you need a crack team of ITsec incident response professionals?
Hire a consultant today. One annual thorough annual review might save you and your employees a lot.
Re: (Score:2)
Backup poisoning? AFAIK, that is a myth. Got any references for that?
What a ransomware gang does if they can reach the backups is simply delete them.
Re: (Score:3, Interesting)
A ransomeware group worth spit would have poisoned your backups so when you're having your genius moment to restore from snapshot or tape backup from last month guess what? It has ransomeware as well!
My recent backups might be infected, but my "day of compromise minus one" backups won't.
Even if my recent backups are infected, they are likely to not be ransomware-encrypted, which means they are still useful to me.
Re: (Score:2)
my "day of compromise minus one" backups won't.
What day is that? A ransomware group worth spit doesn't "pull the plug" the day after they compromise a system. They might wait weeks or even months before scrambling your systems after the infection is in place.
Re: Backups often won't help (Score:2)
The you still lost all your current data. All your current customers are going to pick a new logistics company. They're not going to wait around while you fix your shit.
If you can recover, how are you going to get these customers back? You're no longer trusted. They've already spent the cost to move to your competitors.
They probably figured it would be better to shut down the company now, than wait for it to lose all its money and go into liquidation. Why would the owners risk losing everything? Limited lia
Re: (Score:3)
You shouldn't be doing whole-disk backups, you should be doing data backups and the restore procedure should reinstall the OS from separate media or backups.
Then there is no such thing as a "poisoned" backup that "has ransomware."
Re: (Score:2)
Oh good gosh doesn't every admin know this already? Story time, kids. Once upon a time I was the person responsible for everything IT at a 20MM+ company. Was there for 8 years, the worst things that ever happened other than hardware failures was a few times an individual's workstation got compromised. It never spread beyond that device. Monkeyfucker CEO decides he can save money by firing me and hiring a friend-of-a-friend. Welp, about a year later they got hit with ransomware. Backups were unusabl
Failure to prepare is preparing to fail. (Score:2)
Complacency and an odd loathing of "modern" technology (computers are no longer "modern" in 2025 while everyone has had decades to get familiar) among many who should know better will continue to end in tears.
I use stories like this one to remind my friends to back up their data and in at least three places (the Rule of Threes is easy for non-techies to remember).
If your business burns to the fucking ground your backup(s) should permit rapid reload from bare metal. Many Slashdotters back up our personal dat
Incompetence kills (Score:2)
And if "one bad password" is enough to kill a company, then the C-levels there screwed up massively. Probably criminally negligent at that scale.
One Punishment for This (Score:1)
Death penalty. Not only that, but public gladiatorial combat. Televised and broadcast for free. Seriously, we'll only need to do maybe 30 of these and hacking will be solved.
Re: (Score:2)
So you mean for the C-levels of this company for this punishment, right? Because you aren't going to get to the hackers, who are just as likely in China, Korea or Russia.
Looking for an exit. (Score:2)
"We're under a ransomware attack? No... don't get an actual demand. Blame the owner of the weak credentials? No, no need to make them feel bad. Let's just close up shop and call it a day."
This just screams opportunity. My guess is that the owners are not particularly unhappy here. If the company was a healthy going concern, I'll eat my hat.
No emergency plan (Score:2)
just one of tens of thousands of UK businesses that have been hit by such attacks
We don't see tens of thousands of UK businesses closing their doors after being hit by such attacks. If a company can be brought down by a ransomware attack, it's ripe for being brought down. There's not reason for a business to be *that* fragile. If they are, they aren't planning for emergency situations.
More like hackers fail (Score:2)
They wanted to extort money in a ransomware attack. Instead they got nothing.
The company owners probably made the decision to quit while they're ahead, instead of risk losing more money.
The cost of time to recovery from total failure? (Score:2)
I've read so many people saying "should have had backups", but nobody has considered the time to rebuild from catastrophic failure. Every system and server is down, full restore and recovery to a time before infection (and validation of that).
The company was a transport company with 500 trucks on the road. That's a lot of logistics in play that need to have continuity, each one with cost of probably tens of thousands a day, or more, with heavy non-complete penalties for failure.
Full catastrophic failure c
The managers are full of it (Score:1)
Re: The managers are full of it (Score:2)
Fixing their systems would take how long?
Their customers would have immediately started looking elsewhere, and invoking contract clauses so they don't have to pay.
Now the company has no revenue or customers. And no one trusts them anymore. Explain how to recover from that. Better to cut losses than slowly bleed out.
True story (Score:1)
I was an intern at a state's geological survey and known to be a computer genius by the geologists. Disclaimer: it doesn't take much to be a computer genius by geologist standards.
One day, I was approached by the most senior geologist in the place, and a new hire high level geologist (4 out 5). It seemed his only copy of his PhD was on the hard drive of an old Mac SE (remember those?!) that he had kept around for YEARS in hopes of accessing it, and he wanted to know if I could get it off. I said I would t
Re: (Score:1)
I've heard of various techniques of loosening up old drives that have too much friction to start spinning, including something about sticking it in a freezer. (I have doubts; the water condensation from humidity and rapidly-changing temperature...)
My favorite is to rapidly spin the drive housing back and forth along the same axis as the internal platters with my wrist, so that inertia of the platters holds them (closer) to stationary than the housing, and loosens things up. Then try to power it up again
Weak Security Policies Sink a 158-Year-Old Company (Score:2)
Takes actual, competent IT personnel. (Score:2)
I've worked with a lot of small businesses. Two stories.
I was at a new customer site, installing software on their server and setting things up. They had a sweet setup with an automatic tape backup. Thing is, they were supposed to swap out the tape (and take it offsite), but no one had done so in ages. The current tape - broken. So there had been no backup in over a year.
In another case, they had an IT savvy employee who handled everything for them as an extra duty. When he left, no one picked up the task