The world's leading shipping company Clarksons informed the society about its cybersecurity breach details that it had suffered between May and November 2017. It is clear now that during the hacker attack not just clients` personal data was stolen but much more.
The company admitted in November 2017 that cybercriminals were able to penetrate its systems. This happened after the hackers managed to exploit a single compromised user account. Then they exfiltrated all users personal data and requested a ransom to deliver back to the company the stolen data.
But then, Clarksons refused to pay the ransom, and that's why the data was long expected to leak on the Internet. At that time Andy Case, CEO of Clarksons, stated categorically:
"I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised."
The company has released now another official statement saying that it has succeeded not just detecting but also in recovering stolen personal data with the help of law enforcement and cybersecurity experts. However, it is unclear whether hackers already managed to copy or not the data before being recovered from Clarksons.
"While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver's license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors," the statement said. This new information, however, is very worrying as it reveals a huge amount of personal data stolen by hackers.
Nowhere is it mentioned whether at least part of the stolen data has been encrypted or hashed, which means that the data was probably not protected in any way, and the hackers have managed to steal all the information in plain text. What many victims are expected to face now is likely to be identity theft, bank fraud, and blackmail.
"In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely," said Joseph Carson of Thycotic. "If it is found that EU GDPR applies, and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty."
Whether the authorities will invoke GDPR will be up to the individual EU regulators. Clarksons claims that the hackers had access to the company's systems from May 31, 2017, to November 4, 2017, which is before GDPR became active on May 25, 2018.
If the recovery of the stolen data leads to the identification and arrest of the actor, it will be possible to reveal exactly how and when the hacker attack was carried out. So far, most cybersecurity experts working on the case believe that the reason for successful hacker theft of personal data is that the company did not used multi-factor authentication and did not adequately managed the elevated privileges accounts.
Clarksons is also expected to be able to explain to regulators why they have stored such a huge amount and variety of personal data.
This case reminds us once again that since the European General Data Protection Regulation (GDPR) became active each company, regardless of its business scale, must choose its GDPR-compliant service not just to protect its good reputation but also to avoid bankruptcy after a potential hacker attack.