Earlier this year, budget airline Easyjet suffered a data breach caused by a ‘highly sophisticated cyber attack’, in which the email addresses and travel details of around nine million people were stolen. Of these, 2,208 also had their credit and/or debit card details ‘accessed’. It seems that we get news of a cyber attack on a large business every day, and there is growing concern about the sketchy response from senior executives and Board members to the cyber threat.
For a long time, cyber security experts have complained that the leadership levels of companies do not do enough to protect their businesses. Previously, the issue has been mainly around a lack of understanding of the cyber threat, which led to inadequate defenses being built. Increasingly, however, there is now a feeling that ‘Breech Fatigue’ is setting in – where many company executives know there is a significant threat, but passively accept that an incident is inevitable. In these cases, many firms have simply looked to cyber insurance as a ‘Get Out of Jail Free’ card. However, an ongoing court case might cause them to think again.
In June 2017, the multinational food and beverage company, Mondelez International, fell victim to the NotPetya ransomware attack – the same malware which cost shipping giant Maersk up to $300 million to fix. The attack cost Mondelez an estimated $100 million to repair, with 1,700 servers and 24,000 laptops needing replacement or repair. Not a problem though, thought Mondelez, as they had a comprehensive all-risk property insurance policy with Zurich. Not so fast, replied Zurich, who denied the claim based on a clause excluding any loss or damage resulting from a ‘hostile or warlike action’. NotPetya was linked to an Advanced Persistent Threat group linked to the Russian government, who had used the malware against Ukrainian interests.
Mondelez has subsequently sued Zurich for its refusal to pay out, claiming that the insurer has breached its contractual obligations, failed to honor promises, and conducted business in bad faith. Zurich maintains that as the NotPetya attack has been linked to a hacker group known as ‘Sandworm Team’ – which has been linked to the Russian government by many Western governments - the attack was an act of war and therefore is not covered. At the time of writing, the case is slowly making its way through an Illinois state court, and the result will be of great interest – it may well answer the question ‘Is cyber insurance worth the paper it’s written on?’
Easyjet will no doubt be paying great attention to the outcome. The law firm, Hayes Conner, has already launched a service offering affected customers the chance to claim compensation through a ‘no-win, no-fee’ group litigation action, and it estimates that every affected person might be able to claim up to £2000 – that’s a staggering £18 billion for all nine million customers. And then there’s the Information Commissioner’s Office to consider as well, given that personal data was stolen. it is likely that Easyjet will be investigated for potential GDPR lapses, which could result in a significant fine – all whilst the airline industry is on its knees thanks to Covid-19. It is certainly a sign that businesses should not rely on cyber insurance to clean up the mess after an attack.
One issue that I doubt will make much of an impact on Easyjet is the reputational risk. Unlike, say, a wealth management company or a law firm – where a cyber attack or data breach could well see clients heading for the emergency exits – it’s very unlikely that a family of four heading to the Costa Del Sol for a fortnight’s holiday are going to avoid Easyjet because of a cyber attack. In the budget airline market, the cost of putting your bum on a seat outweighs almost every other consideration.
Interesting ways to breach
But what of the attack itself? Very little information on the event itself has leaked out into the public domain, other that it was a ‘highly sophisticated’ attack. Whilst the details remain – for now – behind closed doors, the nature of cyber attacks means that the level of sophistication could run all the way from nation-state backed hackers such as Sandworm Team to the proverbial ‘teenage Hacker sitting in their bedroom’. However, it’s more likely to be the former rather than the latter, given the involvement of the National Cyber Security Centre, since they don’t tend to get involved when an amateur hacker happens to discover a database accidentally left insecure by the IT team.
The sophisticated groups – known as Advanced Persistent Threats, or APT’s – are using increasingly interesting way to infiltrate companies. Whilst phishing emails tend to still be the most effective means of gaining access to a business, all of the focus placed on protecting email systems from phishing attacks – and the cyber awareness training given to staff – is starting to pay off. Therefore, the attackers are looking for alternative methods. I am increasingly seeing the use of the darknet to connect to company networks by hackers, who are using it to cover their tracks in and out of a network as detecting darknet connections is difficult for IT Security teams. I am also seeing APT’s actively asking for data on Western companies. One group, in fact, is currently advertising for information on the networks of these businesses, stating a significant reward should the data provided result in a successful ransomware attack and pay-out. The risk is significant for multinationals, who employ IT teams across the globe and who might have a disgruntled employee or contractor just waiting for the right opportunity.
In due course, we will find out exactly what happened to Easyjet. In the meantime, it would be remiss of any company executive to think their business is immune from the threat, especially when insurance might simply provide a false sense of security that could result in the downfall of many.