Cyber Incident Victim: Leaseweb

During the night of August 22, 2023, Leaseweb's monitoring systems detected unusual activity within some of their cloud environments. This detection marked the beginning of a security incident that impacted a specific part of the company's cloud-based infrastructure. The unusual activity led to downtime for a small number of Leaseweb's cloud customers, disrupting their services. In immediate response to this event, Leaseweb took quick and determined steps to mitigate potential risks and contain the threat. One of the primary actions involved the temporary disabling of certain critical systems that supported the Customer Portal. As a direct consequence of this necessary security measure, the Customer Portal itself was brought offline, affecting customer access to management tools and services. This action was part of a broader containment strategy to prevent further unauthorized access and to secure the affected environments from additional compromise.

The impact of the incident was felt by companies that relied on Leaseweb's hosting services. One such customer, ATPS Online, which provides a time registration solution via a Software as a Service model, experienced significant service disruptions due to the attack on its hosting provider. ATPS Online communicated directly with its own customer base, informing them that Leaseweb was actively working to restore all components of their hosted environment. The company reported that, despite the widespread disruption, they had eventually regained access to a number of core systems, including the primary database server. Initial assessments from this access indicated that no data loss had occurred from the systems they managed. All data up to the moment the system became unavailable was preserved, and because the time clocks could not transmit their bookings after the outage began, that data was also not lost, remaining stored locally on the devices until connectivity could be reestablished.

Leaseweb engaged an external security and forensics team to conduct a thorough investigation into the cause and the full impact of the security breach. This engagement of third-party experts is a standard practice in major incidents to ensure an impartial and comprehensive analysis of the event. The forensic investigation was a central component of the response, aiming to determine the root cause of the intrusion, the methods used by the threat actor, the extent of the systems accessed, and whether any data exfiltration had taken place. ATPS Online, in its customer communications, noted that Leaseweb had indicated the forensic investigation was not yet complete and that its findings would be crucial for understanding what had transpired and for determining if any data had been leaked. The outcome of this detailed analysis was stated to be pivotal for defining the next steps in the recovery and communication process.

Containment plans were put in place for the impacted systems, and Leaseweb worked diligently to restore full functionality. The company reported that the affected systems were fully restored following the implementation of these containment measures. The restoration process involved meticulous checks to ensure the integrity of the systems before bringing them back online. Parallel to these efforts, Leaseweb also focused on improving its security measures in response to the incident. These enhancements were aimed at fortifying their defenses against similar future attacks and closing any potential vulnerabilities that may have been exploited. Throughout the containment and restoration phases, ongoing monitoring was conducted to detect any signs of further unauthorized activity. Leaseweb stated that their investigation was ongoing but confirmed that they had successfully contained the incident and had not found any additional evidence of unauthorized activity on their systems following the initial response.

Communication during the incident was a key aspect of the management process. Leaseweb informed its customers and the public about the event, stating they would provide an official statement as soon as possible to formally advise on the suspected cyber security incident. The Customer Portal, which had been taken offline as a precaution, was returned to service, allowing customers to access their management interfaces once again. ATPS Online, acting as an intermediary for its own user base, committed to keeping its customers updated on the progress, promising further messages regarding the timeline for full service restoration. The company also mentioned it was performing its own checks on the integrity of its systems hosted within the Leaseweb environment to ensure everything was secure and operational before resuming normal service delivery. The collaborative effort between Leaseweb and its customers was essential for navigating the disruption and working towards a complete resolution. The incident underscored the interconnected nature of cloud hosting and the cascading effects a security event at a major provider can have on downstream businesses and their end-users. The focus remained on forensic discovery, system integrity verification, and transparent communication throughout the recovery period.