Hacker behind Clarksons breach data hacked in via a single user account
2 August 2018
In November last year, shipping giant Clarksons PLC announced that it had suffered a major cyber security incident after a hacker gained access to a single user account and stole information that was sensitive and confidential in nature.
The said hacker then contacted Clarksons and demanded ransom in exchange for the sensitive information, which the firm refused to pay. Andi Case, CEO of Clarksons, made it to the headlines when he firmly announced that the firm would not be held to ransom by criminals at any cost.
“As you would rightly expect, we’re working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future.
“In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised,’ he said.
Even though Clarksons was widely praised for disclosing the breach publicly and informing affected customers about the actions it was taking to mitigate the impact of the breach, the firm did not confirm how much data was lost and whether such data pertained to personally identifiable information of customers.
A treasure trove of personal & financial data compromised
In a fresh press release, the firm has disclosed details of sensitive information that was compromised by last year’s hack, and it makes for grim reading. While the firm hasn’t disclosed the number of customers affected, here’s what it says about the data that was compromised:
“While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver’s license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors. “
What this implies is that the hacker gained access to both personally-identifiable information as well as financial information of Clarksons’ customers, and such data is a goldmine for cyber criminals looking to sell citizens’ data, to create duplicate passports and other identities, or to use such details to purchase new SIMs or to purchasse expensive products online.
The silver lining here is that with the help of law enforcement and forensic investigators, Clarksons has been able to successfully trace and recover the copy of the data that was illegally copied from its systems. However, it is not clear if the hacker still has a copy of the stolen data in his/her posession or whether the hacker passed on such information to other criminals.
Such being the case, Clarksons is now asking affected customers to review their personal account statements and credit reports for suspicious activity, have the three major credit bureaus in the United States place a “fraud alert” on their files that alerts creditors to take additional steps to verify their identities prior to granting credit in their names, and place a security freeze on their credit reports if necessary.
Firms must implement privileged access security
Commenting on how a hacker could gain access to such a large trove of sensitive data after compromising a single user account, Joseph Carson, Chief Security Scientist at Thycotic said that hackers are successful in accessing sensitive information directly with only a single password protecting the sensitive data as many organisations do not implement privileged access security.
“Many cybercriminals use techniques that first target user accounts through phishing and social engineering, then move laterally to find those privileged accounts that provide them with full access to the network and sensitive data. However, in this particular instance it appears they hit the jackpot account with their first try – or they have a good passive assessment, so they knew which user account to target.
“Privilege Access Management is something that many organisations have prioritised in 2018 however, these serious data breaches show that rather than just prioritising it as a project, they must act immediately and implement ASAP.
“The lessons to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data – at least without peer reviews and approval processes,” he added.
“Most data breaches happen because of misused user credentials, so if businesses focus on getting the access and authentication part right for users that’s half the battle. This helps ensure that privilege and roles from one side of the partnership cannot be used anomalously against the other side of the partnership, and vice versa. This approach limits the risk associated with the misuse of stolen or lost credentials, before authentication methods are even offered to the end user,” said Keith Graham, CTO at SecureAuth + Core Security.