The London-based diamond specialist Graff was hit by a ransomware attack this week, which compromised thousands of people’s personal data.
As many as 69,000 documents have already been leaked on the dark web, but this represents a fraction of the stolen information.
The list of victims includes high-profile names such as Donald Trump, Tom Hanks, Samuel L. Jackson, and several ex-soccer players, including David Beckham and Frank Lampard.
In some cases, customer names and addresses used for billing were compromised, while other records include the details of what the customers bought and the cost of those items.
An official spokesperson for Graff confirmed the breach and said that the organization is working with the relevant law enforcement agencies and the UK’s data protection regulator, the ICO (Information Commissioner’s Office), to investigate the incident.
Who is responsible?
The attack is thought to have been conducted by Conti, a Russian-based ransomware group that has previously been blamed for a series of attacks across the US.
The US government issued an alert about Conti in September, urging organizations to bolster their security practices to mitigate the risk of an attack.
It stated that the group often targets organisations using spear phishing emails containing malicious attachments and exploiting stolen or weak remote desktop protocol credentials.
It’s not yet known how much Conti is demanding to release the data, but one report states that it’s more than £10 million (about $13.5 million).
Fortunately, Graff says that it has been able to rebuild its systems from backups and has avoided any permanent loss of customer data.
As such, there is no need to negotiate with the attackers – although it means the crooks will now almost certainly sell the remaining data on the dark web.
However, there is a strong possibility they would have done that even if Graff had paid up, which is why cybersecurity experts urge organizations not to meet their demands.
These are cyber criminals, after all, and there is no reason to think they will keep their word once you deal with them.
Another factor to consider is that, whether the stolen data is returned or not, it is still considered a data breach because the information was compromised. The organization’s notification requirements therefore don’t change, and it is still subject to regulatory action.
Organizations that demonstrate that they were prepared for a security incident – by implementing backups and an incident response plan – will face less scrutiny than those that pay off their attackers, and will almost certainly receive a lighter penalty or none at all.
The lesson, then, is to remain vigilant and expect the unexpected.
Incident response with IT Governance USA
If you find yourself facing a cyber security disaster, we are here to help. Our experts can help you understand your cyber risks and the steps you can take to secure your organization.
Contact us today to get started.