Cyber attack recovery: it's never over until it's over





Recovering from a cyber attack can be one of the greatest challenges an organisation can face. Successful attacks can result in ransom demands to decrypt data or to prevent exfiltrated data from being published in the public domain. Whether or not a ransom demand is paid both "denial of data" by encryption or data exfiltration attacks can result in lengthy post-incident handling, recovery and clean-up activities - which can weeks and, in some cases, months. A cyber-attack incident is never over until it's over.


Recovery and restoration activities when data and systems are compromised by encryption can be protracted and complex because:

  • Hundreds of interdependencies between systems. platforms and services. These may not be fully understood until a recovery strategy is undertaken because of unidentified or previously unknown dependencies.

  • Knowledge gaps. Most corporate IT infrastructures have grown up over years. Knowledge of interfaces with other systems and "workarounds" may have been forgotten or lost as a result of staff turnover over time.

  • Lack of a suitable environment to conduct recovery activities. With a complete infrastructure rebuild, it's likely that you will have to rebuild on a completely new infrastructure that can be trusted and then "ported" over onto your current IT estate. (this porting process can also contain trip-wires!)

 

Excerpt of a letter to customers from the CEO of a major travel organisation following a cyber attack that encrypted but did not exfiltrate data

 

Some of the major challenges faced by organisations that have been forced to undertake a complete IT rebuild are:

  • Accepting that recovery is a gradual process and hence having to prioritise restoration of the most critical IT systems to enable the resumption the most important business activities. Strategies for this may vary from re-establishing services in-house to external hosting

  • Deciding whether to rebuild or recreate (using cloud & SaaS services, for instance)

  • Being blind - some organisations have been forced to recreate their financial records from bank statements. This is OK in terms of stating "where are we today" but does not help in terms of cash-flow predictions, managing receivables etc. Until data and systems for financial records and ERP are restored, the visibility of the organisations financial position is extremely limited.

  • Accommodation. These recovery activities require time, skills and resources to perform. It has not always been possible to accommodate them in the usual workplace. The people performing these activities will need IT resources such as uncompromised workstations and, likely, a place to work.


Data breach incidents are not always accompanied by the non-physical destruction of the organisation's IT infrastructure - but they can have significant legacy implications.


 

This post, published July 25th 2022, relates to the a major data breach involving T-Mobile - the breach occurred during August 2021.


T-Mobile will pay $350 million to settle multiple class-action suits stemming from a data breach affecting tens of millions of people. In a proposed settlement announced Friday, T-Mobile also agreed to spend an extra $150 million on cybersecurity. (August 2021)


T-Mobile agrees to pay customers $350 million in settlement over massive data breach - CNN

 

For data breaches that have fallen into the category of "notifiable", depending on the size and nature of the breach, a number of operational and litigation challenges can manifest themselves:

  • Informing customers that their PII has been compromised. For a data breach impacting many customers, notification activities have required additional resources to initially contact and engage with data subjects. Many firms have required a "task force" to expedite this

  • A substantial task force requires somewhere to work and possibly IT support to manage the notification and support processes for data subjects

  • Members of the task force have required training for "upskilling" to handle communications with affected data subjects

  • Unprecedented spikes in data subject requests. When news breaks of a major data breach, organisations experience a Tsunami of data subject requests - far exceeding the resources available of he DPOs and their teams.

Overall, for firms impacted by a major data breach, it can take an average of 3 – 6 months to return to "business as usual" with a litigation risk of up to 6 years (in the UK).


 

Some organisations have experienced other complications when dealing with a major data breach:

  • Cross-jurisdictional issues: If the incident affects data subjects from other countries or data is exfiltrated from equipment situated outside of the local jurisdiction, confusion can arise with which jurisdiction and, hence, what regulations apply.

  • "No win, no fee" lawyers may instigate opportunistic claims. These must be handled respond as default judgements could apply


 

A major cyber attack can challenge assumptions that data and systems can be restored within expected time frames. When integrity of data and the the whole IT infrastructure is compromised, increased levels of complexity and recovery duration will occur. Incident handling will also extend far beyond technical considerations requiring additional resources, processes and accommodation needs.