On May 28 2023 major corporations started to announce attacks by CLOP ransomware group on their systems. CLOP is widely thought to operate from the Russian Federation. Victims are said to include Procter and Gamble, Virgin, Saks and others.
Attacks from Non/Quasi State actors can be expected to rise with international tensions.
Today (07.06.2023), CLOP used its dark web website to announce that personal information, including customer bank account details, would be released on the web:
"We deliberately did not disclose your organization wanted to negotiate with you and your leadership first," reads a Clop ransom note sent during the GoAnywhere extortion attacks.
"If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us on Google by searching for CLOP hacker group”.
Microsoft attributed the ransomware attack to vulnerabilities in the Zero-day MOVEit Transfer platform.
The attacks started on or around 27 May – the Memorial Day holiday weekend.
Having an interest in International Law, the attack raises questions of State responsibility for Non/ Quasi State actors. What duties does the Russian Federation have to prevent and prosecute such actions? What State responsibility does Russia bear if it fails to take reasonable and proportionate actions in those regards. I am going to leave that aside for another article.
What are the legal duties on firms who discover they have been hacked? Perhaps this is a far more practical question.
- Contact the Information Commissioners Office.
- Contact your internet provider and their security systems. You will need to know what was taken and to whom the information went.
- Act immediately. If you hesitate, the damage may be greater and the ICO will want to know why.
[Source ICO 07.06.2023]
- Ensure the ‘confidentiality, integrity and availability’ of systems and services and the personal data you process within them.
- You must be able to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
- You must have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.
- Your security measures must be proportionate to the sensitivity of the information held. If you hold sensitive medical data, your security measures must reflect this risk.
- Know your security measures protecting your IT.
- Make sure they are adequate to the risk.
- Act quickly if you have a suspicion.
If you have any queries or would like further information, please do not hesitate to contact us on firstname.lastname@example.org