NetworkTigers discusses the right way to publicly disclose and report a ransomware attack.
Aside from addressing the logistical repairs and business disruption following a successful ransomware attack, companies that store or manage customer data must navigate the shifts in public opinion and the resulting fallout. To “do the right thing” and maintain integrity, organizations must carefully manage how they disclose and report a ransomware attack.
Why should businesses report a ransomware attack?
Attacks should always be reported through the proper channels. Reporting helps your business recover funds through insurance policy requirements and allows government agencies to collect data on attack trends that can be useful in preventing future ones and apprehending those responsible.
Ransomware attack reports also give developers insight into weak points in their products that can lead to tighter security patches and critical updates.
Additionally, ransomware attack reporting is on its way to being legally mandatory. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022, requires companies operating within 16 listed critical infrastructures to report significant cyber incidents within 72 hours of the attack’s discovery.
The FCC is also proposing laws that make public notification mandatory after hacks of major telecom companies.
Lastly, reporting and responsibly disclosing an attack shows good faith in those whose data may have been stolen or accessed in the incident.
How to report a ransomware attack
Report a ransomware attack to a local FBI field office immediately. Not only will federal authorities investigate the incident, but they may also be able to provide decryptors developed in response to widespread attacks.
You should also file a report with the FBI’s Internet Crime Complaint Center (IC3). According to the FBI, reports made via IC3 allow the agency “to investigate reported crimes, track trends and threats, and, in some cases, even freeze stolen funds. As importantly, IC3 shares crime reports throughout its vast network of FBI field offices and law enforcement partners, strengthening our nation’s collective response locally and nationally.”
The Cybersecurity & Infrastructure Security Agency (CISA) also provides an attack reporting tool via its website to gain information about cybercrime that can be used to assist your business and other victims.
How to publicly disclose a ransomware attack
While how a business is to report a ransomware attack to the authorities is simplified by the fact that it needs to be done in a specific manner through dedicated channels, notifying the public of the incident requires finesse and delicacy that can vary depending on the industry a company operates in and the kind of customer or user data that the business is responsible for protecting.
Short-term secrecy may seem to protect a company’s interests against user backlash. However, cover-ups tend to leak, and the public’s response to a company putting its interests over the safety and security of paying customers does far more reputational damage to an organization than an initial disclosure.
While honesty is the golden rule for maintaining good standing with the public, accurately and transparently disclosing breaches and attacks is where many companies drop the ball.
Blackbaud, a South Carolina-based cloud computing company, did just that in their reporting of a 2020 cyberattack that resulted in millions of files belonging to around 13,000 of their customers falling into the hands of criminals.
After secretly paying off the crooks, Blackbaud waited another two months before notifying customers of the incident and, even then, did not provide accurate information about the severity of the breach.
Blackbaud’s botched response to the attack resulted in several class action lawsuits against the company and a $3 million settlement.
Disclosing a data breach is appreciated, but opting to withhold information about its effects on users or the severity of the attack in doing so is a bad idea.
It should be clear what customer data was compromised, what actions are being taken to mitigate the attack’s shockwaves, and how those impacted may be affected.
The recent breach of LastPass provides an example of how not to report a ransomware attack.
The password managing platform suffered a series of breaches in 2022 that resulted from an initial intrusion in August. The company announced its struggles on December 22, undoubtedly selected to minimize the disclosure’s impact on people gearing up for holiday vacation and time off from work.
What’s worse, LastPass’s statement was, according to security researcher Wladimir Palant, “full of omissions, half-truths, and outright lies.”
Security researcher Jeremi Gosney did not mince words when accusing the company of making “a bald-faced lie.“
LastPass’s response revealed a company being dragged kicking and screaming into disingenuously disclosing a breach at a time that would hopefully allow its severity to fly under the radar. A company that requires customer trust and stores access to its most sensitive accounts can’t be perceived as self-serving after it fails at keeping user data safe, which is, quite literally, its only job.
Companies will do well to fully inform customers of data breaches and keep them regularly updated on further developments that may affect their privacy.
In addition to reporting and publicly acknowledging a ransomware attack, many companies reach out to customers directly affected by the incident to offer free credit monitoring services for one or more years. While some customers may never take advantage of the service, extending the offer is another way for businesses to show their users that they have their interests in mind, even when it comes to consequences that may be felt through avenues outside of the attacked company’s control.
Some organizations also set up special contacts that customers can contact if they have questions about their data security. These hotlines should be easy to get in touch with and staffed with well-informed agents who are ready to assist callers with queries about using any complimentary credit monitoring services or about what info they have had exposed.
Kronos, the US’s largest human resources and payroll company, suffered a ransomware attack in December 2021. News of the breach, which delayed payments for thousands of workers across various industries for weeks, revealed that Kronos did not have a meaningful recovery strategy and left its customers alone to manage the chaos, much to their dismay.
According to at least one source, Kronos also paid the ransom demanded to regain their systems. The company maintained a page dedicated to updates on the investigation of the attack, but it no longer exists and instead directs visitors to the company’s homepage. This a visible indication that, like other companies who have failed to meet the moment after a cyberattack, Kronos would much prefer that their customers forget it ever happened.