Cyber Incident Victim: Graham & Brown Ltd
Date:
Feb 2022
Location:
United Kingdom
Summary
Graham & Brown Ltd experienced a sophisticated ransomware attack that disrupted critical business systems for two weeks, rendering the company non-operational. The attackers compromised extensive employee personal data, including names, addresses, bank details, national insurance numbers, medical information, and passport numbers, later threatening to release the stolen records unless demands were met. No ransom was paid, and the company restored operations through collaborative recovery efforts with IT specialists, implementing enhanced security measures such as Crowdstrike protection, system-wide password resets, and ongoing staff cybersecurity training. Authorities including the ICO and police were notified, with investigations ongoing, though no stolen data had been publicly released at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 23, 2022, Graham & Brown Ltd, a Blackburn-based wallpaper supplier, suffered a sophisticated cyber and ransomware attack that disabled all critical business systems, rendering the company non-functional for two weeks. The attack disrupted operations until recovery efforts led by the management team, internal IT staff, and external specialists restored systems. Attackers initially provided no evidence of data exfiltration until April 25, when they contacted the company’s US office, directing representatives to a chat room where they listed files allegedly containing UK personnel records. These records included names, addresses, contact details, national insurance numbers, bank account information, medical data, passport numbers, and driving license details of current and former employees. The company verified the legitimacy of the contact but did not observe actual file transfers or dark web publication of stolen data at that time.
Graham & Brown immediately reported the incident to Lancashire Police and the Information Commissioner’s Office (ICO) on April 26. Management convened an emergency meeting to brief staff, cascading details company-wide and establishing a dedicated email address for employee inquiries. The firm confirmed no ransom was paid and implemented enhanced security measures, including deploying Crowdstrike’s 24/7 monitoring, resetting all system and employee passwords, and reinforcing pre-existing monthly cybersecurity training provided by Mimecast. Employees were advised to monitor for phishing attempts and suspicious account activity. Operational impacts included prolonged system downtime and potential reputational risks, though business functionality was restored within the two-week recovery period. As of the latest reporting, attackers continued threatening data exposure but had not published information on known dark web platforms monitored by law enforcement. The company maintained transparency with stakeholders throughout the incident, offering to share lessons learned with other CEOs facing similar threats.