It started with a simple email back on June 8, recalled Zachary Chilson: a truck driver application with a resume attached, no different from hundreds of others received every week by OutWest Express LLC, a 150-truck long-haul fleet based in El Paso, TX.
Yet when opened, the word document attached to that email appeared completely blank, said Chilson, OutWest’s VP.
Except it wasn’t.
In actuality, that “blank” word document served as cover for a powerfully encrypted malicious software or “malware” virus. When the recruiter closed that document – it looked blank, after all – it quickly went into the main server’s “shared file” and began to wreak havoc.
All the server logins were changed, Chilson said, and then a message popped up on OutWest computer screens containing a phone number, saying that if the carrier wanted to unlock its server, it had to call said phone number and pay up.
“Actually, at times four different phone numbers were displayed on our screens and we called each one,” he said. “Only one was answered; by a woman who said we’d dialed the wrong number.”
To make matters worse, Chilson learned from his information technology (IT) department that they hadn’t backed up their server correctly, so a lot of critical company information remained out of reach. In the end, he said OutWest had to pay an outside firm to conduct what’s called a “forensic recovery” – “that was very expensive,” Chilson stressed – that ended up returning most, but not all, of the carrier’s “ransomed” data.
“We didn’t get all of our files back, so we had to start over from scratch in many ways,” Chilson pointed out.
The company also made a host of other changes to better protect itself against future “hack attacks” as it restored its computer systems; installing better and more updated virus protections, arranging for more frequent and detailed backups for all servers and computers, and more Internet bandwidth through which to do all of that.
Case closed, Chilson thought with relief.
Until the phone calls from OutWest’s freight brokers started coming in.
“They’d stolen all our customer data out of our server and apparently started calling the brokers on our lists, booking loads under our name and insisting on cash advances,” he said – cash advances that totaled up to $800 per load in some cases.
“When the loads never got picked up, obviously, the brokers started calling us,” Chilson noted.
Fortunately, the contracts OutWest had signed with its brokers stipulated that under no circumstances would cash advances be collected, Chilson stressed; thus OutWest didn’t have to pay restitution for that particular piece of fraud.
Still, the rapid use of OutWest’s data to commit such fraud worried Chilson to no end – and still worries him today.
“We had all kinds of sensitive data files stored in our server; tax returns, social security numbers, things like that,” he said. “So now we’re stuck waiting to see if they try to use any of that.”
Even worse in some ways, despite multiple attempts, Chilson could not get law enforcement interested in investigating the hacking of OutWest’s server – despite the fraud being committed in the carrier’s name.
“We called the local [police] authorities; they provided no help. They didn’t even write up a police report,” he said. “We even tried the FBI [Federal Bureau of Investigation] but got nowhere.”
Albert “Bert” Glen, a cybercrime prosecutor with the U.S. Attorney’s Office for the Eastern District of Pennsylvania, noted during the discussion that the dollar value of such crimes may be one reason limiting law enforcement interest, as many agencies don’t get involved if the crime involves damages of less than $100,000.
“The fraud perpetrated on OutWest’s customers can be constituted as a federal crime under wire fraud law; law enforcement can be liberal is using such statutes to prosecute hackers,” he said, yet stressed that in the FBI’s case its “first priority” is to combat terrorism; meaning that such cybercrime incidents get pushed well down its investigative list.
Complicating matters further is when cybercriminals are located outside the U.S. – “when the trail goes overseas, it gets lost quickly,” Glen noted – or the perpetrators turn out to be minors.
“We had one cybercrime case in Georgia where a search warrant got issued on a home from where the emails originated from,” he said. “Law enforcement ended up being directed down the street to the middle school where the ‘bad guy’ was attending 7th grade.”
In the end, the “reputational damage” incurred by the corporate victim of a cybercrime may outweigh any monetary losses incurred.
According to the Ponemon Institute, the average cost of cybercrime in the U.S. is $12.7 million, which is a heavy toll for all but the largest companies.
Yet even if a breach doesn’t end up being financially ruinous or legally damaging it can erode a business’ public reputation and trust, noted Bruce Andrew, senior VP of information security firm Shred-It in a recent report.
According to the company’s 2015 Information Security Tracker Survey, some 85% of c-suite respondents and 37% of small business respondents say they have a cyber-security policy in place. Yet improving security goes beyond implementing a policy, Andrew stressed, as among the most important cyber-security elements is training employees.
“Though some attacks are the results of intrusive hacking, many have been the result of lax training—unencrypted phones that are stolen, passwords left visible on desks, and employees giving out sensitive information to fraudsters ‘phishing’ for ways to get access to confidential data,” he emphasized.
“When you consider that according to our survey that, 43% of c-suite respondents and 86% of small-business respondents train employees once a year or less on information security protocols and procedures, it’s clear that there is room for improvement,” Andrew added.
OutWest’s Chilson echoed that perspective during his presentation at ATA’s MC&E this year, adding that spreading the word about how critically important Internet security is to trucking companies large and small is why OutWest decided to share their “hack attack” story.
“The biggest lesson we’ve learned is that you just never have enough computer security,” he said. “Computers are simply the gateways to businesses today and must be protected as such.”