One weak password brought down a 158-year-old company

Shawn Knight

Posts: 15,826   +202
Staff member
In a nutshell: The 158-year-old firm had roughly 700 employees on its payroll and had industry standard security measures in place, including insurance against cyberattacks. But when a group of hackers managed to break into their system by guessing an employee password and encrypted all of their data, it was the end of the line for the trucking company.

A business is only as strong as its weakest link and when that weak point happens to be an employee's easy-to-guess password, the outcome can be devastating. Such was the case for KNP, a transport company that operated around 500 big rigs out of Northamptonshire.

The attackers didn't say how much the ransomware key would cost, but a specialist firm estimated it might cost KNP as much as five million pounds. Even with insurance, that was more than the company could pay. Ultimately, KNP shut down and hundreds of people were put out of a job.

KNP director Paul Abbott told the BBC that he never told the employee with the weak password that their compromised credentials led to the company's downfall. "Would you want to know if it was you?" he questioned.

Stories like KNP's are more commonplace than you might realize. Cybercriminals like those that hit KNP simply look for weak links in security. "They're just constantly finding organizations on a bad day and then taking advantage of them," a National Cyber Security Center team member named "Sam" (not his real name) said.

Part of the problem, Sam added, is that there are a lot of attackers. According to the UK government's cyber-security survey, there were an estimated 19,000 ransomware attacks on local businesses last year. The average ransom is around four million pounds and around one in three companies simply pay up to keep the ship afloat.

Despite multiple layers of protection, the problem is only growing. Suzanne Grimmer, who runs a team at the National Crime Agency, said the number of attacks have nearly doubled over the past two years. "If it continues, I predict it's going to be the worst year on record for ransomware attacks in the UK," Grimmer added.

As for Abbott, he now spends his time warning other companies about the dangers posed by cyber criminals.

Image credit: Jason Mitrione, FlyD

Permalink to story:

 
I wonder if there's more to this story. Ultimately their value is in hauling goods from place to place, and they still had trucks, truckers, and customers who knew about them even if they no longer had their numbers. Even if the situation required starting from literally zero records it feels like the current and future could be re-established with consequences short of losing the entire company.
 
Well, even though the employee was at fault for using an easy to guess password, the IT manager is equally at fault for not setting up enforcement of minimum password complexity requirements.

YUUUUUUP ... the IT Manager is fully responsible and should be named..
 
My best guess is that the hackers somehow compromised the backups too. Otherwise the ransom is too much money.

But I do wonder how this was done because backups being deleted or destroyed is semi terrifying.
I've been sent to an emergency before, not a client, but contacted us for emergency help as we were a close IT firm, and they had their backups stored on a local NAS, that replicated to an offsite NAS.

But both sites were flat networks, security didn't really exist in any of the setup, the domain administrator account was used for access to the NAS shares for example, and that's the same account the backup software used to access everything.

Once the hackers got hold of that password, they deleted everything they could from the backups.

What was interesting though and the reason I bring it up here, I didn't want to name Synology, but it's worth putting out and apparently, this is fixed in newer firmware releases, but on the firmware this company was on, the hackers had logged into the NAS's with some engineering account and completely hard reset both NAS's.

That didn't delete the data on the drives, I was able to re-setup the NAS's, it discovered the existing RAID and put itself back together again, the hackers did a poor job of deleting the backups, they logged into the software (Veeam) and deleted the backup jobs etc... but didn't check Veeam had actually deleted the data, which it hadn't luckily for me. Then I just restored everything to a new Azure environment that was actually locked down.
 
Makes you wonder if the company was in trouble, and perhaps about to go under or have to cut back, BEFORE the attack took place.
 
I wonder if there's more to this story. Ultimately their value is in hauling goods from place to place, and they still had trucks, truckers, and customers who knew about them even if they no longer had their numbers. Even if the situation required starting from literally zero records it feels like the current and future could be re-established with consequences short of losing the entire company.
Their clients likely expressed 0 confidence in the company, reputation counts for something which is why they were around so long.
 
Their clients likely expressed 0 confidence in the company, reputation counts for something which is why they were around so long.

It's not an IT company, it's a trucking company. Clients only care about receiving their goods on time. I'm sure there are other reasons the company went down since even the 500 big rigs is going to be a billion in assets.
 
If one compromised password could destroy the entire company, they didn't have network security. Any company should have a firewall to reduce the chances of unauthorized access and at the least they should have had three backups one being offsite. A Back blaze subscription would have saved the company or really any backups. I wonder if their security guy, if they had one, told the company how much security would cost, and the company responded with "do the best you can with what we have".
 
If one compromised password could destroy the entire company, they didn't have network security. Any company should have a firewall to reduce the chances of unauthorized access and at the least they should have had three backups one being offsite. A Back blaze subscription would have saved the company or really any backups. I wonder if their security guy, if they had one, told the company how much security would cost, and the company responded with "do the best you can with what we have".
Based on my experience with old companies in the UK, I must stress this isn't all of them, ones that are managed properly, decent cash flow and value IT, tend to be pretty good with their IT.

But honestly, older companies run by older generations that don't value IT, they really don't care, they really struggle to understand why MFA is important, they also seem to be under this strange illusion that if their IT systems went down, they can "just go back to pen and paper".

I've also seen such neglect at some companies, I'm fairly certain the owners just want it to fail.
 
I feel sorry for the employees, but not the cheap bosses. Obviously too inept or too penny (pence?) pinching to pay for backups or implement 2FA?? Even my local auto repair shop that's mom and pop owned has fully automated AND manual backups. Their kid is taking cybersecurity classes and it's the first thing he did. Maybe the bosses needed a "take your kids to work" day to set things right before they went south.
 
So you're telling me that if I stipulate a cyber attack insurance, then leak a password online, and someone encrypts my whole server... I can close down my business, leaving 500+ people at home? Maybe even cashing in part of the insurance payout? How convenient :)
 
There are still a lot of companies, especially older ones which see IT as a burden and not an integral part of their work. I mean, virtually everything runs a computer now so the CTO (if they have one) should set equal to all others in the board (often IT folds under COO and again are seen as an expense...).
 
- Company did not enforce strong passwords (like 16 char or more)
- No 2FA was in place
- No offline backup, since if they had them they would lost at most a week of data.

So, its all on the company, zero on employee.
 
So you're telling me that if I stipulate a cyber attack insurance, then leak a password online, and someone encrypts my whole server... I can close down my business, leaving 500+ people at home? Maybe even cashing in part of the insurance payout? How convenient :)
That is what I thought too. It felt like they were almost happy to close the company.
They had a perfect reason and could put guilt on someone else.
Though of course, if this happens, it is because they did not protect their infrastructure and data properly.
 
Back