Clarksons has finally released more details of a 2017 data breach, claiming the hacker demanded a ransom for the stolen information.
The UK-headquartered shipper said it discovered unauthorized access to its systems between May 31 and November 4 last year. The attackers got in via a “single and isolated user account” which was subsequently disabled.
However, the firm appears to have proactively been able to mitigate the worst effects of the attack.
“Through the investigation and legal measures, Clarksons was then able to successfully trace and recover the copy of the data that was illegally copied from its systems,” it claimed.
Although the firm believes it has recovered the data, it is notifying potentially affected individuals, as the range of data stolen is worryingly broad.
“While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV, driver’s license information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors,” the statement noted.
As the hackers were able to infiltrate the network via just a single entry point, the case highlights the need for strong authentication everywhere, according to Keith Graham, CTO at SecureAuth Core Security.
“Most data breaches happen because of misused user credentials, so if businesses focus on getting the access and authentication part right for users that’s half the battle. This helps ensure that privilege and roles from one side of the partnership cannot be used anomalously against the other side of the partnership, and vice versa,” he added.
“This approach limits the risk associated with the misuse of stolen or lost credentials, before authentication methods are even offered to the end user.”
This incident occurred well before the GDPR was brought into force, but the lack of transparency by the victim organization, the length of time it took to notify customers and the sheer range of highly sensitive data potentially compromised would certainly have warranted a serious investigation.
The regulation mandates that organizations operate a policy of data minimization so that they represent a smaller target to hackers.