Cyber Incident Victim: Brimborg

On the night of August 29, 2023, the Icelandic automotive company Brimborg was subjected to a significant cyber attack. The incident involved a breach of parts of the company's information systems, resulting in data being taken hostage. The attackers executed a ransomware operation, encrypting company data and holding it for ransom, which immediately crippled segments of Brimborg's operational infrastructure. The initial discovery of the breach was made by Brimborg's own staff, who promptly initiated the company's incident response protocols. The exact vector of the attack and the specific vulnerabilities exploited were not immediately apparent, necessitating a thorough forensic investigation to understand the full scope and technical details of the security failure. As soon as the attack was detected, Brimborg's management engaged the foremost cybersecurity experts in Iceland to assist in managing the crisis. This swift action was aimed at containing the breach, analyzing its extent, determining the root cause of the security failure, and ultimately working to restore the affected systems to full operational status. The work to recover the systems and the data was ongoing in the immediate aftermath, and consequently, the full scope of the incident was not known at that early stage. The company publicly stated that the extent of the attack and the specific data impacted remained undetermined as the investigation was still in its preliminary phases.

The incident was treated with the utmost seriousness due to the nature of the data Brimborg handles. The company, which operates as a car dealership selling new and used cars, trucks, and machinery, also runs a car rental service with both short-term and long-term leases, a tire and rapid service through its MAX1 and Vélaland divisions, and services car owners with parts and repairs. Its operations necessitate the collection and processing of a significant amount of personal data belonging to its customers. In accordance with data protection regulations, the Icelandic Data Protection Authority (Persónuvernd) was formally notified of the breach. Furthermore, the national Computer Emergency Response Team, CERT-IS, was also brought into the loop to provide additional expertise and coordination at a national level. This dual reporting highlights the potential severity of the incident regarding the compromise of personal identifiable information. The company's own privacy policy, referenced in news reports, states that Brimborg engages in the "collection, registration, processing, storage, and dissemination of personally identifiable information about its customers and individuals who have contact with the company in one way or another."

While the specific categories of data exfiltrated or encrypted were not detailed in the initial reports, the company's privacy policy outlines the types of personal information it collects from customers. This includes a range of sensitive data that could be exploited for identity theft or fraud if it fell into the wrong hands. The potential exposure of such information raised significant concerns for both the company and the affected individuals. Despite the disruptive nature of the attack, Brimborg took measures to maintain its business operations. All of the company's branches, including workshops, parts departments, car rentals, and sales divisions for new and used vehicles, remained open. The staff were determined to provide the best possible service under the circumstances, demonstrating a effort to maintain customer service and business continuity in the face of a major IT outage. The company's CEO, Egill Jóhannsson, expressed optimism in initial media statements, indicating that he did not believe the company's data was lost, suggesting confidence in the recovery processes underway.

By September 4, 2023, the company provided an update on the situation. The public update indicated that business operations had returned to a normal state following the netárás, or cyber attack. This suggests that the efforts to restore systems and data were successful, allowing the company to resume its full range of services. However, the update also clarified that the investigation by cybersecurity specialists was still ongoing. This ongoing investigation was crucial for determining the final impact of the incident, identifying the threat actors responsible, and understanding the complete narrative of how the breach occurred to prevent future occurrences. The company committed to providing further information on its website as the work progressed, maintaining a channel of communication with the public and its customers. The incident underscores the persistent threat ransomware attacks pose to businesses of all types, including those in the automotive retail and service sector, which may not always be perceived as traditional high-value targets but nonetheless hold vast amounts of valuable personal and operational data. The attack on Brimborg serves as a case study in incident response, highlighting the importance of having pre-established relationships with cybersecurity experts and a clear communication plan for both regulators and customers during a crisis.