“Fortunately” for Encevo, few people care about the fate of their personal data… when they… The experts that Paperjam contacted didn’t take off.
“This is a very serious mistake, and Encevo will have to answer at least to the ILR and CNPD,” one of them explains, given that the group that oversees Enovos and Creos “is obliged to ensure the protection of the data of its customers, whether they are companies or individuals.” . In other words, he was not sufficiently prepared for possible cyberattacks at a time when it is believed that all companies – and mission-critical companies even more so than others – will sooner or later fall victim to an attack.
Our group’s information system is protected by advanced security systems and processes, complemented by a 24/7 security operations center, as well as access to a computer emergency response team. These measures allowed us to respond quickly.
The notion of cyber risk first appears in the 2017 annual report, where Encevo indicates that it has strengthened its IT infrastructure to protect its customers’ data. Two years later, the group evaluates its progress by integrating two International Accounting Standards to measure its progress. And completes the three-year strategy, which was supposed to end this year. The timing is good or bad: good because the group was prepared, bad because getting hacked when you think you’re on the right track is painful.
Updated and improved strategy
“We have a cybersecurity strategy that is regularly updated and improved,” indicates the Communications Service, which has responded in a timely manner to every request for information since the cyberattack on the night of Friday July 22 to Saturday July 23 – without “any indication that the attackers have already were in our system prior to the date of the attack.” “Our group’s information system is protected by advanced security systems and processes, complemented by a 24/7 security operations center, as well as access to the team’s computer emergency response. These measures allowed us to respond quickly. Our group continuously invests in its security measures to respond to rapidly evolving cyber threats and comply with the strict provisions of the GDPR (General Data Protection Regulation) and the NIS Directive (Network Security Directive). “Information)”.
The attack faced by the Luxembourg group is unique in that it used “new” software, officially seen during the first attack in November last year. Software based on the Rust programming language automatically adapts to the level of resistance it faces in a company. After hacking the servers in an as yet unknown mode, the software can either encrypt all data (which is slow but secure), or encrypt the first few megabytes of documents (fastest, but insecure), or adapt to its tasks using two alternative schemes. At Colonial Pipeline, hackers used one of its engineers’ VPN passwords to infiltrate the company, with the software infecting more and more servers and computers.
Today, Encevo indicates that 106 GB has been exfiltrated, and the BlackCat hackers say they have 150 GB. As usual, the hackers officially released their ransom note, showing several screenshots of the data, a kind of “guarantee” that they are not imposters, which we were able to see.
76 bitcoins… recovered in less than a week
The Colonial Pipeline also had 100 GB stolen in two hours. On the darknet, the hackers gave Encevo until Monday to pay the ransom without specifying it, as did the group itself. The Americans, concerned about the scale of the hack, chose to pay a ransom of 76 bitcoins (4 million euros)…most of which the FBI and the Department of Justice returned a few days later (63.7 bitcoins). The case of BlackCat is even more special as the organization is recruiting “franchisees” who will be given the software even without a user manual for 90% of the ransom they would receive.
Encevo did not respond to a question about whether she would pay the ransom. Officially, companies are asked not to pay, as this does not guarantee that they will receive a code that will allow them to restore encrypted data on their own servers, and even that hackers will not keep a copy of the stolen data. eventually sell them to the highest bidder. Informally, the cost-benefit ratio is always established.
In the long term, analysts estimate that 10% of the company’s annual turnover is the cost of the lost trust of corporate clients. This figure obviously varies depending on the field of activity and whether the company is listed on the stock exchange or not.
Complaining is not easy
Not to mention the legal implications. Encevo will likely have to demonstrate to the National Data Protection Commission what it has done and is doing to protect data, but could face legal action. Following the 2019 law transposed by the European directive, Encevo is considered an “essential service operator” and must report directly to the Luxembourg Regulatory Institute (while banking and financial players go to the CSSF). The company risks… a warning, a reprimand or a fine that can be as high as 125,000 euros.
The prosecutor’s office points out that the Criminal Code does not list cybercrime as a separate offence, but that hackers face a fine of between 500 and 30,000 euros and a prison sentence of two months to five years in accordance with the law on computer crimes (Article 509-1 – 509-7) of the Criminal Code.
More than a week if you have backups is a very long time.
The prosecutor’s office invites customers who have a guarantee that their data was hacked to file a complaint. But it’s far from easy. Encevo has suggested that its customers change their passwords when accessing its services or when they are used elsewhere – which is never a good idea – a recommendation to which experts add two more: be very careful of SMS or emails that may come in the next few days. week or more regularly monitor the evolution of his bank account to detect abnormal transactions.
Accurate darknet and forum monitoring
As always in such cases, government agencies, in particular the very active Govcert, monitor the Internet and its hidden part from the eyes of the general public, the darknet, to detect any proposal regarding Luxembourg data.
On Thursday, Encevo issued its third press release in 15 days to indicate that it is in the process of restarting its services, telling its customers not to call everyone because they are not sure they can keep them informed. “This is a very long time,” the expert criticizes. “More than a week, if you have backups, that’s a very long time.”
“Yes, we have reliable backups for all of our services and applications. Some services are already working again, others will start working in the coming days. That it takes several days to restore from a backup is not abnormal in the face of a malicious attack of this magnitude,” says the group’s communications department.