Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Global Shipping Firm Clarksons Provides Update on 2017 Breach

Clarkson PLC (Clarksons), a global shipping services firm, this week provided an update to the breach it suffered between May and November 2017. Little further on the nature of the breach is revealed, other than the extent of the customer personal information that was stolen.

Clarkson PLC (Clarksons), a global shipping services firm, this week provided an update to the breach it suffered between May and November 2017. Little further on the nature of the breach is revealed, other than the extent of the customer personal information that was stolen.

In November 2017, Clarksons revealed that a single compromised user account had allowed attackers to infiltrate their systems, exfiltrate personal data, and demand a ransom for its safe return. Clarkson’s declined to pay the ransom, and for some time it was expected that the data might be revealed. “I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised,” said Andi Case, CEO of Clarksons.

In its latest statement (PDF) the firm claims it was able — with the help of law enforcement and forensic specialists — to successfully trace and recover the stolen data. It doesn’t state — and probably could not know — whether the stolen data had been copied before it was recovered. It is nevertheless warning those potentially affected by the incident to, “Remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity and to detect errors.”

What is most surprising in this updated information is the extent of personal information that was stored by the company and stolen by the criminals. In full, the statement says, 

“While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver’s license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors.”

There is no mention of whether any of this data was encrypted or hashed. Identity theft, bank fraud and blackmail are the most obvious threats if such data were in the wrong hands.

“In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely,” comments Joseph Carson, chief security scientist at Thycotic. “If it is found that EU GDPR applies, and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty.” Whether GDPR can be invoked will be up to the individual EU regulators. Clarksons claims the intruder had access to its systems from May 31, 2017 until November 4, 2017; which is before GDPR became active on May 25, 2018.

Rishi Bhargava, co-founder at Demisto, told SecurityWeek that Clarksons appears to have gone through the mechanics of breach notification conscientiously. “Clarksons seems to have provided updates and apprised affected individuals in a comprehensive and transparent manner,” he said. “There are numerous cross-industry regulations to deal with while implementing breach notifications, and the granularity of US state-specific information shared by Clarksons is testament to that.”

Advertisement. Scroll to continue reading.

But he added, “The bigger question to consider is whether Clarksons needed to retain all this personal information in the first place. With GDPR introducing strict regulations for data processing, data consent, explicit need for processing, retention timelines, and deletion, organizations need to rethink their entire ‘data supply chain’ if they haven’t already. However transparent breach notifications are, they’re still a post-breach exercise and need to be matched by operational data discipline in order to truly bring accountability to data processors.”

It is possible that the tracing and recovery of the stolen data also implies knowledge of the perpetrator — he or she may even be in custody. If this is true, it will probably be only through subsequent court documents that we discover exactly how the breach occurred. However, most security experts believe our knowledge so far points to a failure to use multi-factor authentication, and a failure to adequately manage privileged accounts.

Timur Kovalev, CTO at Untangle, told SecurityWeek, “While unfortunate, these sorts of breaches are certainly not uncommon. However, there are steps that organizations can take to mitigate their risk. Requiring multi-factor authentication for user accounts is a rational first step. Additionally, IT departments need to limit access of even properly credentialed users to only those apps and systems that are critical for that person’s business use. Finally, companies can reduce the amount of customer data they are storing anywhere on networked systems; GDPR will certainly help accelerate this best practice.”

Carson agrees. “The lesson to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data — at least without peer reviews and approval processes.”

The question of whether Clarksons had a valid reason to store that amount of highly sensitive personal data remains one for the regulators.

Related: Organizations Failing Painfully at Securing Privileged Accounts 

Related: Organizations Fail to Maintain Principle of Least Privilege 

Related: Attackers Circumvent Two Factor Authentication Protections to Hack Reddit 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.