Kroll, a division of Duff & Phelps, recently worked for a listed company that suffered a serious data breach. Large amounts of data had been stolen and they were being held to ransom. The client received emails from the attacker requesting millions of pounds in bitcoin not to release the data.
Kroll was engaged to assist the company in their investigation of how the breach occurred, but also to see if we could identify the attacker and locate the stolen data.
The attacker had placed all the stolen data on a server and given our client the password to log in – to show they were serious. Our client was given two weeks to pull the bitcoin together. If they failed to do so, the attacker would release the stolen data onto the internet – potentially compromising the personal data of thousands of employees and clients. We worked around the clock and identified the internal weakness that had allowed the attacker into the network.
The client, to their credit – and somewhat to the surprise of the insurer – decided against paying the ransom. So, we devised a new strategy of “cluttering” to mitigate the attacker’s threats.
In this cluttering strategy, should the attacker fulfill their promise to release the stolen data we would counter punch with our servers and Twitter bot army to spread a fake data set far more effectively than the attacker could. We would essentially “clutter out” the attacker by emulating them. Additionally, embedded in the clutter data were digital traps to alert us to any sign of third-parties looking at our fake data – from this, we would then be able to approach third parties and -- through the client’s legal counsel -- tell them to stop looking for our client’s data. We also placed warning messages in the fake data, warning any curious third parties that they should not be seeking to view our client’s stolen data.
The deadline set by the attacker came and went without incident. Our client informed their local regulator of the issue – and then silence. For a week we monitored the internet for any sign of the attacker fulfilling their promise. Behind the scenes, Kroll had found the physical location of the attacker’s server and was working to have it taken down.
Then the attacker struck, dumping links to their server and the real stolen data across Reddit, Twitter, Facebook, various blogs, and pastebins. However, we were ready with a takedown team who worked with outside counsel to remove the links from the internet within hours. Simultaneously, we also launched our “cluttering” response and within a day if anyone looked for our client’s stolen data, they would only find the fake data. By this point, Kroll had managed to get the attacker’s server taken down, and we recovered our client’s data – with no sign that it had been replicated elsewhere.
Kroll was nominated for a 2018 FT Intelligent Business award in recognition of our innovative approach to this incident.
Social media during a cyber-incident can be one of your most significant risks, but through creativity, it can also become part of an antidote.