A cyber crime trilogy

The Individual

Edinburgh, December 2015

Esther Gauld creates an account with a popular online takeaway platform that presents her with the menus for dozens of local restaurants. Having added her debit card details to her account,all she has to do is make her choice, place her order and pay for it.

The process works as it should: the payment goes through, the restaurant receives the order and the cooks begin preparing it. Something else happens, though – something that’s not part of the process. A hacker several thousand miles away in Kingston, Jamaica receives Esther’s debit card details – and is able to use them to withdraw cash.

Over the next 24 hours, Esther’s bank account is systematically emptied at various ATMs around the city. Her bank, noticing suspicious foreign activity, blocks the card. Esther only discovers this when she attempts to pay for some shopping and calls to find out what’s going on.

Having previously worked in financial services, Esther considers herself reasonably diligent when it comes to entering payment details online. She also knows, though, that the onus shouldn’t have been solely on her to ensure the security of her payment details – it should have been on the business she’d entrusted them with.

Fortunately, Esther was given a full refund after receiving an incident number from the police and signing a statement to declare that the money was indeed stolen from her – although exactly how the hacker obtained her details was never uncovered. “In honesty, the incident was more of an inconvenience than an actual loss,” she says. “People aren’t likely to make a fuss if they’re compensated.”

Unfortunately for the business, though, Esther has resolved never to use it again – and she’s keen to warn others to follow suit, for only a week after the hack a friend of hers used the platform and was later notified by her bank that someone had tried to systematically empty her bank account – again, in Jamaica.

The Takeaway

It’s not just blatantly bogus lottery-win emails that hackers use to target individuals; accessing people’s data and payment details has been made much easier with the advent of e-commerce. Business's whose customers have entrusted them with such sensitive information have a vast responsibility to this end.

The Small Business

Glasgow, October 2015

Ken Main is at home doing paperwork when he receives a phone call from the manager of the hair and beauty salon he and his wife own in Glasgow’s West End. She tells him she thinks the business’s computer system has been hacked. Confused and a little doubtful, Ken tells his manager to proceed with business as usual but to let him know of any developments.

Five minutes later, the phone rings again. An email with a Russian domain name has come through claiming that the entirety of the business’s data has been locked in a file and is being held to ransom. The hacker wants the equivalent of $250 in Bitcoin. If it’s not paid in a set time period, the file will be deleted.

Ken rushes to the salon, where the effects of the hack are being felt instantly: text message notifications to clients aren’t going out and the team has no record of appointments. Before long, the hacker has upped the ransom to $1000 in Bitcoin.

"We lost a heck of a lot of money in the first few days," says Ken. “We didn’t know who was coming in when. Our customer database had gone, we had no history, no personnel files, nobody to contact. As a business owner who hadn’t gone through anything like that before, I panicked. I started thinking that my whole business was about to go down the tubes – and so I made the decision to pay the ransom.”

Ken received a key to the file after paying up, but 95 per cent of the data contained within the file was corrupted, and the hacker was nowhere to be seen. It was then that the gravity of the situation struck home:

The cyber attack happened in 2015. Two years on and he and his wife are still in the process of rebuilding the business they spent 17 years establishing. Unlike Esther, who was given compensation almost immediately, Ken and his wife have had to pick up the pieces themselves – but that was the only option. “It’s only in the last year that I’ve had figures I’ve been able to use to pull the business forward,” he says.

Ken remains in an especially small minority for going public about the hack on his business. Coincidently, it happened the day after the telecom giant TalkTalk suffered an attack which ultimately cost the organisation £42 million. “The newspapers were full of stories about the TalkTalk situation,” says Ken. “I realised then that I should be going public about the hack on my own business. People – small business owners specifically – need to know that this doesn’t just affect huge organisations. Until you’ve been stung, it’s difficult to realise the severity of what can happen."

The Takeaway

Ken admits that the hack he suffered could have forced him out of business. While small businesses don’t need to go public if they do become the victims of cyber crime, it’s imperative that they’ve got the right systems in place to thwart attacks in the first instance – and that they know where to turn in the event that they do fall victim of cyber crime.

The Public Service

UK-wide, May 2017

Doctors’ surgeries across the UK are gearing up for a new day, opening doors to patients, pulling down records, giving diagnoses, writing prescriptions, making referrals and taking new appointments. For staff, it’s no different to any other morning.

But by the afternoon, everything has changed. One-by-one, computer screens go blank. Phone lines are cut off. GPs lose access to medical records and results, and patients are turned away.

The biggest ransomware offensive in history has begun, and it isn’t just doctors’ surgeries that are under attack; the NHS as a whole is being crippled. Ambulance services are cut off and hospitals are put on accident and emergency divert. Soon, only medical emergencies are being dealt with – and even then some patients awaiting surgery are being told – on hospital beds – that their procedures are getting cancelled.

The WannaCry offensive (named after the programme used by the hackers) that took place in May this year affected more than 40 individual health service organisations across the UK. The hackers – believed to be part of a cyber gang called Shadow Brokers – had managed to infect NHS computer systems with the programme by exploiting a security vulnerability as well as sending out phishing emails to encrypt data and hold it ransom. Demands varied from $300 to $600 to unlock the files. The government’s recently established National Cyber Security Centre was working around the clock to bring the situation under control.

Later, the scale of the offensive came to light. Far from only concerning the NHS, more than 45,000 individual attacks across some 150 countries across the globe were reported as part of WannaCry. The NHS wasn’t a sole target; it just happened to be caught up in the maelstrom.

After the crisis was resolved it came to light that the vulnerability the hackers had exploited had been patched by Microsoft two months before the attack, but that the patch hadn’t been put in place across the whole of the NHS. This allowed the hackers to effectively hold the NHS to ransom as part of the broader attack, ultimately costing the service millions in disruption – and much more still in personal distress.

The Takeaway

It’s too easy get to comfortable with legacy systems (and easier still to ignore update notifications), but making sure computer systems are up-to-date is one of the most crucial and straightforward ways to ensure greater cyber resilience – regardless of whether you’re an individual, a small business or a national organisation.