South African power company battles ransomware attack

The power utility appears to be well on track to a swift recovery following an attack that ultimately left some people without electricity

Tomáš Foltýn

City Power, one of the companies that supplies electricity to South Africa’s biggest city Johannesburg, is grappling with a ransomware attack that left some residents without power, according to Reuters.

The unspecified ransomware strain “has encrypted all our databases, applications and network”, reads the utility’s announcement from early Thursday local time.

The applications that were affected include the company’s prepaid vending system, which made it impossible for people to ‘refill’ their accounts and buy electricity units. As ZDNet notes, all this occurred on the pay day date (the 25^th) for many South Africans who would then go on and pay for new electricity packages for the upcoming month.

The City of Johannesburg, which owns the utility, apologized for the “inconvenience” and said that its response to outages may be delayed after the system for ordering and dispatching material was also affected. The grid itself was not impacted.

No details about the attack vector or the criminals’ demands are available. The municipality was quick to reassure customers that their personal information had not been exfiltrated by cybercriminals – unlike the case, for example, with the ever more frequent data breaches.

Meanwhile, the utility is working ’round the clock to restore its systems. “If everything goes according to plan, everything should be restored by Friday,” it said. The company’s website, for one, remains inaccessible as of time of writing.

The municipality appears not to have followed in the footsteps of two cities in Florida, the US, which recently decided to cough up some hefty money to ransomware extortionists.

In closing, a quick aside: While this wasn’t the case with the incident at City Power, attacks aimed at electricity supply interruption aren’t unheard of. Ukraine, for one, has experienced two attack-induced blackouts in recent years. ESET researchers have analyzed samples of malware known as Industroyer that was probably to blame for an hour-long outage that hit parts of Kiev and nearby areas in December 2016. That piece of malicious code was found to be capable of controlling electricity substation switches and circuit breakers directly, including in some cases literally switching them off and on.

https://www.welivesecurity.com/2019/07/26/south-africa-johannesburg-ransomware/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Data breaches can haunt firms for years

The compromised company may bear the financial brunt of the breach within the first year after the incident occurs, but the price tag is still far from final

Tomáš Foltýn

The average cost of a data breach has risen 12% over the past five years to US$3.92 million globally, according to IBM’s 2019 Cost of a Data Breach study, which drew on input from more than 500 companies around the world that suffered a breach over the past year.

The rising financial impact was attributed to a trio of factors – the multi-year financial fallout from breaches, increased regulation, and the complexity of resolving criminal attacks.

The report comes at a time when several companies are facing the prospects of hefty bills for massive cyber-incidents. This includes Equifax in the United States and British Airways and Marriot Starwood in the United Kingdom.

For the first time this year, the study from IBM Security and Ponemon Institute also looked at the ‘long tail’ financial impacts of breaches. It found that while the compromised firm typically bears the financial brunt of the incident within the first year after it occurs, by no means is it ‘out of the woods’ so soon.

“While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals,” reads the press release.

Among other findings, the report highlighted that in a number of ‘scenarios’ the financial consequences can climb even higher.

First, the incidents tend to be costlier for firms that suffered breaches at the hands of malicious actors, as opposed to incidents caused by human or system errors. Malicious breaches didn’t only account for more than one-half of the incidents under review, but they also cost an extra US$1 million than the inadvertent breaches (US$4.45 million versus US$3.5 million).

In addition, for firms based in the US, the average cost of a breach climbed all the way to US$8.19 million, having risen by 130% over the past 14 years.

Typically, breaches weigh particularly heavily on healthcare organizations, which recorded the highest cost of (US$6.5 million) and topped the list for the ninth year in a row.

Regardless of the industry, however, a data breach can be downright devastating for a small and even mid-sized business. The study found that companies with fewer than 500 employees suffered losses of more than US$2.5 million on average. To put that into perspective, small businesses typically earn $50 million or less in annual revenue.

The average life cycle of a breach was 279 days. More precisely, on average it took companies 206 days to spot and another 73 days to contain the incident. When it comes to only malicious breaches, it took even longer – 314 days.

“Companies in the study who were able to detect and contain a breach in less than 200 days spent US$1.2 million less on the total cost of a breach,” according to the report. It outlined a slew of more factors that influenced the financial fallout, including the number of data records lost, whether the breach originated from a third party, and whether the company made extensive use of encryption.

In her excellent article last year, ESET security researcher Lysa Myers outlined how preparing for the worst can actually help firms avoid falling victim to such incidents in the first place.

For more information on ESET and the free e-book, visit:  https://www.eset.com/be-fr/professionnels/data-protection-ebook/

Or https://www.eset.com/be-nl/zakelijk/data-protection-ebook/