Cyber claims case study: Car part chaos
When an auto parts dealer gets hit by a ransomware attack, it comes close to wrecking their business
Most modern organizations, including those operating in the automotive sector, will utilize their computer systems to perform certain key business functions in one way or another.
Most automotive businesses have a website to advertise their business or to sell their products, hold electronic data on employees and customers, make use of software programs to monitor sales data and manage stock levels, and use email to communicate with both customers and suppliers, to give just a few examples. If these systems were to be made unavailable as a result of a cyber attack or system failure, it could have a detrimental impact on the business in question and result in substantial losses being incurred.
One of the main drivers of cyber losses is ransomware. Ransomware is a type of malicious software or encryption program that works by encrypting data on a network and then demands that a ransom be paid in exchange for a decryption key to regain access to the data. Ransomware has wreaked havoc on countless businesses in recent years, and those operating in the automotive sector are no exception to this.
One of our policyholders who recently fell victim to a ransomware attack was a small auto dealer business, with annual revenues just short of $30 million. The business primarily specializes in the sale of new and used car parts to both domestic and international customers, which are primarily sold via a call center, and the car parts themselves are held in a number of warehouse locations. Customers get in touch with the call center, the call center employee then checks whether the item is in stock via a software program and then issues the customer with a quote. If the quote is accepted by the customer, an invoice is issued, and the car part is sent for delivery. The business also owns and operates several vehicle repair workshops and scrapping yards, which act as one of the sources for the used parts.
Open RDP is the road to trouble
The incident began when a hacker managed to gain access to the company’s computer systems through the remote desktop protocol (RDP). RDP allows remote users to connect to the desktop of another computer through a network connection and is typically used by organizations to allow employees to access their networks while they are working remotely. If the port an organization uses for RDP access is exposed directly to the internet, it’s easy for malicious actors to find it, where they then attempt to gain access to an organization’s computer systems. In this case, the port the business used for RDP access was open to the internet, providing the hacker with an opening which they could exploit.
To make matters worse, the business didn’t have multi-factor authentication enabled for RDP access
Having identified this vulnerability, the hacker initiated a brute-force attack to obtain credentials to the organization’s local administrator account. A brute-force attack is where a hacker uses a computer program to crack passwords by trying numerous possible password combinations in quick succession, with the program typically trying a long list of the most commonly used passwords. Generally speaking, the longer and more complex the password, the more difficult and time consuming it is for the program to crack. Unfortunately, however, the business’s local administrator account had a weak password in place, a consequence of using a default password that had never been changed.
With the password lacking in complexity, the brute-force program was able to crack the password with ease. To make matters worse, the business didn’t have multi-factor authentication enabled for RDP access, so as soon as the password was cracked, the hacker was able to gain access to the organization’s network without having to go through a second verification procedure, such as inputting a verification code or number.
Hacker gets keys to whole system
Once the hacker was logged in, they downloaded password scraping software that allowed them to obtain the policyholder’s domain administrator account credentials, allowing for greater access across the network. With the preliminary work done, the hacker then went on to launch their encryption software across multiple servers, leaving a ransom note for the business and requesting that a payment of 40 bitcoin be made in return for the decryption key.
Upon discovering the ransom note and realizing that its computer systems and data were no longer accessible, the business notified CFC’s incident response team to determine the next step. The incident response team’s first priority was to establish the status of the organization’s back-ups. Fortunately, the auto dealer did have offline back-ups stored on a USB flash drive that it could look to restore from. Given the high cost of the ransom demand and the fact that back-ups were in place, the business decided to eschew paying the ransom demand and recover from back-up instead.
The policyholder’s IT team, working with our incident response team, then went about restoring the system from the offline back-ups, but this was a time consuming process, involving the rebuilding of all affected servers and workstations, and it would take nearly two weeks for the system to be restored fully.
Given the high cost of the ransom demand and the fact that back-ups were in place, the business decided to eschew paying the ransom and recover from back-ups instead.
Trouble getting back to full speed
In the meantime, the auto dealer faced significant operational problems. This disruption was felt most acutely in the part of the business focused on the selling of new and used car parts. The company used an enterprise resource planning (ERP) software program to manage this section of the business. The ERP system was used to manage the stock inventory of new and used car parts; create quotes for customers; modify pricing and apply discounts; manage currency, tax and transaction issues for exports to foreign countries; arrange billing and delivery for customers; and provide real time sales data for senior management. In short, access to the ERP system was an essential part of the auto dealer’s business operations.
Unfortunately, the policyholder’s ERP system was impacted by the ransomware attack and rendered inaccessible, resulting in problems for call center and warehouse staff. Although the organization’s phone systems were unaffected and call center staff could still take calls from prospective customers, without access to the ERP system, it wasn’t possible to automatically check whether an item was in stock or not. The only option would be to note the customer’s contact details on a piece of paper, call one of the warehouses and get a member of the warehouse staff to physically check if an item was in stock or not.
What’s more, even if an item was in stock, it wasn’t possible to send over formal quote documents to the customer as the normal process for creating quotes was dependent on the ERP system, so call center staff had to resort to giving indicative prices over the phone to the customer instead.
In addition, without access to previous quotes and customer details on the ERP database, call center staff were unable to chase up on quotes with prospective customers and secure new orders. If a customer did get in touch to confirm that they would like to go ahead with purchasing a particular car part, call center staff weren't able to simply process the order and arrange delivery through the ERP system like they normally would. Now, they had to explain to the customer that they could make a note of the customer’s intention to buy, but that delivery and invoice processing would be delayed due to the ERP system being unavailable.
Procurement was also impacted. Without access to the most recent stock and sales data, the management team did not have an accurate overview of which items were low in stock and needed to be re-ordered from suppliers, resulting in a shortage of popular items.
Operational difficulties such as these were significantly slowing down the sales process and dissuading customers from making purchases with the company. The policyholder’s customer base is primarily made up of small, infrequent purchasers of car parts as opposed to consistent purchasers with long term arrangements in place with the business. As a result, customer loyalty is low and if the business doesn’t have an item in stock or if there are likely to be delays with the purchase or delivery of an item, customers will simply look to source car parts from other suppliers, with little opportunity for the organization to claw back this business once it has gone elsewhere.
In total, over the course of an 8-week period, the business saw its revenue drop a shortfall of $1,048,049.
In the immediate aftermath of the ransomware attack, the auto dealer’s revenue dropped below 5% of its usual level and even though the organization’s computer systems were fully operational again within two weeks of the attack, it still took several weeks to re-engage suppliers and gain traction with customers once more. In total, over the course of an 8-week period, the business saw its revenue drop from an expected $4,450,027 to $3,401,978, a shortfall of $1,048,049. After the application of the business’s rate of gross profit of 58%, this represented a business interruption loss of $607,868.
This came on top of an additional $183,045 incurred to restore impacted servers and workstations from back-up, carry out forensic investigations to establish the root cause of the attack, carry out a full scan to remove any residual malware from the insured’s computer systems, and carry out some post-breach remediation in order to reduce the likelihood of the attack happening again. Thankfully for the business in question, they had a cyber insurance policy in place with CFC and were able to recover these losses under the policy.
Getting businesses back up and running
This claim highlights a few key points. Firstly, it highlights the importance of securing the remote desktop protocol (RDP) effectively. In particular, it illustrates the importance of having multi-factor authentication in place on all business email accounts. Although the attack was partly enabled by the use of a weak password on the organization’s domain administrator account, it’s highly unlikely that the attack would have gone any further if the business had had multi-factor authentication in place to secure the remote desktop protocol.
Secondly, it shows just how dependent most businesses are on their computer systems. In this case, the policyholder’s business model was highly dependent on its enterprise resource planning system to efficiently source and sell new and used car parts, and when that software program was made unavailable as a result of a ransomware attack, the business suffered substantial operational and financial difficulties as a result.
Finally, this claim highlights the importance of having a cyber insurance policy. Even if a business has prudent risk management controls, they can still wrack up significant costs in the event of a cyber attack. In this instance, even though the auto dealer had offline back-ups in place and was able to successfully recover from them, the business still incurred nearly $800,000 as a result of the ransomware attack. However, by having a cyber insurance policy in place, the insured was able to successfully recoup these losses, providing a valuable safety net for the company.