Clarksons braced for data leak

'Clarksons will not be held ransom by criminals': CEO Andi Case. Credit: North Downs Photography
'Clarksons will not be held ransom by criminals': CEO Andi Case. Credit: North Downs Photography

Some Clarksons customers may find their confidential data released online as a result of a cyber-security incident involving the well-known shipbroker. Unlike the case of the NotPetya virus, which attacked Maersk in July and resulted in a loss of over USD300 million, this was a targeted incident in which a single-user account was used to gain unauthorised access to the company’s computer systems.

The London-headquartered broker, who issued a public statement about the incident on 29 November, confirmed that the account had now been disabled. “We have also put in place additional security measures to best prevent a similar incident happening in the future,” it said in the statement. “Clarksons would like to reassure clients and shareholders that this incident has not, and does not, affect its ability to do business.

“Today, the person or persons behind the incident may release some data. The company is in the process of contacting potentially affected clients and individuals directly,” it added.

Andi Case, Clarksons CEO, said, “Issues of cyber security are at the forefront of many business agendas in today’s digital and commercial landscape and, despite our extensive efforts, we have suffered this criminal attack. As you would rightly expect, we’re working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future. We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves. In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised.”

The Clarksons incident comes on the heels of the news that transport technology company Uber had paid a USD100,000 ransom to hackers to delete personal information of 57 million customers and drivers in October 2016. It is currently in the firing line as it had failed to notify the individuals and regulators about the breach and had attempted to cover up the incident.

However, it would be erroneous to assume that Clarksons has been hacked. Speaking exclusively to IHS Markiton condition of anonymity, a London-based hacking expert said, “The fact that they said there was a single account used opens the possibility that this wasn’t a malicious hack. It may have been that a user – either an employee or customer – used the same password for the Clarksons account as for another site where their details may have been leaked. Many hackers will use combinations of email addresses and known passwords, and this may have been a crime of opportunity rather than a targeted hack.”

Depending on the nature of the data taken, the expert believes that the person/s behind the incident would have a back-up plan to gain financial benefit from their efforts. “The most obvious source of income would be to sell the information to scammers that can use any information for identity theft, but if there is specific commercial data that they gained, the person/s might approach targets that would be willing to pay for that information – such as competing companies. That said, the person/s may release the information as a show of force for other targets and to gain notoriety in the press.”

Clarksons confirmed that the data at issue “is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information”, and the path taken by the criminals remained to be seen.

In the wake of this incident, the broker said that it had been “working with data security specialists to investigate further and has notified the relevant regulatory bodies. Clarksons takes issues of IT security extremely seriously and continues to invest heavily to further enhance the systems and procedures it has in place. As part of this, the company is continuing with a wider review of cyber security that began earlier this year and is, for example, accelerating the roll-out of various additional IT security measures.”

An IT security consultant told IHS Markit that no system connected to a network was invulnerable to attack.

“The best defences are actually updates and monitoring. Keeping IT systems up-to-date with the latest patches, and updating the hardware and operating systems when needed always helps, as does running tools that monitor for vulnerabilities.” He also stressed the importance of knowing the security best practices for the systems being deployed and testing that these have been applied, such as only opening necessary firewalls. “Knowing what your sensitive data is and where it is and who has access is key to protecting it. Once you know all those things you can monitor – and hopefully detect – odd patterns of behaviour,” he added.

“In the Clarksons case, a single-user account was compromised. So how did they know that? Did the user log in from a different machine at an odd time of day, for example? Another monitoring trick is to understand the baseline traffic that happens on your network. This allows you to spot anomalies and act. Again this may have happened in the Clarksons case, however I suspect that this is an after-the-fact discovery.”

Shipping companies are increasingly finding themselves targets of cyber criminals, with 34% of 284 respondents in IHS Markit’s recent cyber-security survey reporting that their organisation has experienced a cyber attack in the past 12 months – and just 63% stating that their organisation had taken steps to provide awareness on cyber best practice for staff and crew. It is also of note that the largest cyber vulnerability cited by respondents (47%) was people, making it critical that companies educate their employees about online safety.