This article is more than 1 year old
Holy ship! UK shipping biz Clarksons blames megahack on single point of pwnage
Cybercrim either 'hit the jackpot account' or knew which one to target, claims infoseccer
British shipping services firm Clarksons has revealed a high profile data breach last year stemmed from a hack on a “single and isolated user account”.
Criminal hackers stole employee information from the shipping firm before unsuccessfully attempting to blackmail it. In an update this week on its progress in dealing with the previously disclosed breach, Clarksons said it has been “able to successfully trace and recover the copy of the data that was illegally copied from its systems”.
The breach itself ran for more than five months - between 31 May 2017 until November 4 of '17 - the update (pdf) also revealed.
Clarksons is in the process of notifying potentially affected individuals, some of whom have had a complete portfolio of their personal information laid bare by the breach. Judging by the types of information exposed, employees and (perhaps) contractors are among those most exposed by the breach. Clarksons has consistently refused to clarify whether or not customer data was exposed, and we still can't be sure on that point.
While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver’s license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors.
Affected individuals are urged to “remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity”. The scope of the data theft opens the door to all manner of ID theft scams. Fraudsters who happen to obtain copies of the stolen data might be able to mount highly plausible social engineering or phishing scams, for one thing.
Clarksons was compromised in the UK by hackers who made off with data before demanding a ransom for its safe return. It responded by notifying the police and regulators as well as launching an investigation of its own, aided by external forensics experts. Partial results of this computer forensics effort are covered in its update.
Through the forensic investigation, Clarksons quickly learned that the unauthorized third party had gained access to its system from May 31, 2017 until November 4, 2017.Clarksons learned that the unauthorized access was gained via a single and isolated user account. Upon discovering this access, Clarksons immediately disabled this account.
Through the investigation and legal measures, Clarksons were then able to successfully trace and recover the copy of the data that was illegally copied from its systems.
We know that Clarksons resisted this attempted blackmail, going so far as to obtain an injunction against unnamed criminals back in March. It’s unclear how many records were exposed or whether any criminal prosecution has been initiated in the case.
Clarksons has yet to respond to requests from The Register for information on these as-yet unanswered questions. We’ll update this story as when more information comes to hand.
Single point of pwnage
Joseph Carson, chief security scientist at privileged account management tech firm Thycotic, told El Reg that it wasn't particularly significant that a single user account was to blame for the breach at Clarksons.
"Many organisations have failed to implement privileged access security and in failing to do so, they typically allow single user accounts to access sensitive information directly with only a single password protecting the sensitive data," Carson explained. "Many cybercriminals use techniques that first target user accounts through phishing and social engineering, then move laterally to find those privileged accounts that provide them with full access to the network and sensitive data."
He added: "However, in this particular instance it appears they hit the jackpot account with their first try - or they have a good passive assessment so they knew which user account to target." ®
Biting the hand that feeds IT
