Video: Equifax teaches us what not to do after a data break
Global shipping firm Clarksons has warned that confidential data stolen as a result of a "cybersecurity incident" could be made public, following the company's refusal to pay a ransom to hackers.
In a statement, the shipbroker, one of the largest in its sector, said that it had fallen victim to a "criminal attack" in which attackers gained unauthorised access to the company's computer systems via the use of a "single and isolated user account" which Clarksons has since disabled.
Clarksons, which has 49 offices in 21 countries, hasn't disclosed what information has potentially been stolen by hackers, only that the data in question is "confidential". While the company hasn't disclosed when the breach took place or when it was discovered, it said it took "immediate steps to respond to and manage the incident".
A Clarksons spokesperson told ZDNet that due to the ongoing investigation into the incident, it'd be inappropriate to make any further comment about what happened at this time.
However, the company has issued a warning that the data might be at risk of being made public because those behind the attack have now threatened to release it after the shipbroker refused to pay them a ransom.
"Today, the person or persons behind the incident may release some data. As a responsible global business, Clarksons has been working with the police in relation to this incident. In addition, the data at issue is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information," the company said.
"I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised." said Andi Case, CEO of Clarksons.
The company is in the process of directly contacting potentially affected clients and individuals, as well as working with the police and security experts in response to the attack. The company also said it has contacted the relevant regulatory bodies about the incident.
"Issues of cybersecurity are at the forefront of many business agendas in today's digital and commercial landscape and, despite our extensive efforts we have suffered this criminal attack," said Case.
"As you would rightly expect, we're working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future."
"We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves," Case added.
In a statement to ZDNet, the Information Commissioner's Office said: "We're aware of an incident at Clarkson PLC and will be making enquiries."
Previous and related coverage
IT leader's guide to reducing insider security threats [Tech Pro Research]
Employees are responsible for nearly half of IT security incidents every year, according to a recent report from Kaspersky Lab and B2B International. This ebook offers a look at where the risks lie and what you can do to mitigate them.
Several people have confirmed they have mixed or inaccurate results from the Equifax checker.
Names, email addresses and mobile phone numbers were stolen by hackers, but not dates of birth or bank details.
READ MORE ON CYBERCRIME
- 2017's biggest hacks, leaks, and data breaches -- so far
- 8 steps to take within 48 hours of a data breach [TechRepublic]
- New NSA leak exposes Red Disk, the Army's failed intelligence system
- Uber data breach 'raises huge concerns' for UK watchdog [CNET]
- Bad passwords and weak security are making ships an easy target for hackers