Cyber Incident Victim: Hanzestrohm

In the night between August 5 and August 6, 2023, the organization Hanzestrohm fell victim to a significant cyber incident identified as a ransomware attack. This type of malicious software functions by taking control of files on computers and similar devices, effectively holding them hostage and rendering the data inaccessible. The fundamental mechanism of such an attack involves encrypting the victim's data, with the perpetrators typically demanding a financial payment in exchange for the decryption key that would restore access to the locked files. While the article notes that files are sometimes released following a payment to the hacker, the specific details regarding any ransom demand made to Hanzestrohm or any subsequent payment were not disclosed as part of the public statement. The immediate operational impact was the unavailability of critical business systems and data, posing a substantial threat to the organization's continuity and daily functions.

The response to the attack was initiated promptly by the internal IT team, whose actions were described as adequate and effective in mitigating the disruption. A key factor in the recovery process was the availability and integrity of existing data backups. The IT colleagues successfully restored all these backups, a process that involved returning the preserved data to the primary systems. As a result of these efforts, all affected systems were returned to full functionality and were reported to be working as expected. Consequently, Hanzestrohm was able to resume normal operations following the incident, achieving a state of being fully operational as usual. This successful restoration from backups suggests that the organization had a disaster recovery plan in place, which proved crucial in overcoming the encryption imposed by the ransomware.

Despite the successful restoration of systems and the return to normal business operations, the incident carried significant data privacy implications. Hanzestrohm formally classified the ransomware attack as a data breach in accordance with privacy legislation. This classification is necessitated by the possibility that the attackers accessed or exfiltrated data during the compromise. In compliance with legal obligations stemming from this classification, the organization proceeded to make a mandatory data breach notification to the Autoriteit Persoonsgegevens, which is the Dutch Data Protection Authority. Furthermore, Hanzestrohm also communicated directly with individuals who were potentially directly affected by the breach, fulfilling its duty to inform data subjects.

The potential compromise of sensitive information represents a grave secondary consequence of the attack. The organization acknowledged that, despite its adequate response and the engagement of external forensic experts, it could not definitively rule out that the affected information and/or personal data had become accessible to unauthorized parties. This access could potentially occur through channels such as the dark web, where stolen data is often traded or published. The types of data potentially involved in this breach were broad in scope, encompassing information related to Hanzestrohm's employees, its customer base, and its suppliers. This indicates that a wide array of personal and possibly confidential business information was stored on the systems impacted by the ransomware.

In light of the risk that personal data was exposed, Hanzestrohm issued a warning to all potentially involved parties, advising them to be extra vigilant in the coming period. The primary concern was that the exposed information could be weaponized for further criminal activities. The organization specifically highlighted the increased risks of phishing attempts, fraudulent messages, and suspicious phone calls. These tactics are commonly used by malicious actors who leverage stolen personal details to create more convincing and targeted social engineering attacks. The warning also extended to the potential for identity fraud, where stolen personal information could be used to impersonate individuals for financial gain or other malicious purposes. To assist those affected, Hanzestrohm directed individuals to consult the web pages of the Rijksoverheid, the Dutch national government, for official guidance on recognizing phishing attempts and steps to take in the event of identity fraud.

The incident underscored the persistent and evolving threat landscape that organizations face, particularly concerning cybersecurity. Hanzestrohm explicitly recognized that cybersecurity is and remains a critical theme within its operations. The company reported that it works continuously alongside external specialists to maintain a high standard of security that meets all requisite requirements. This ongoing commitment involves constant efforts to enhance its defensive posture and resilience against future attacks. The engagement of external forensic experts following the incident also points to a strategy of leveraging specialized third-party knowledge to investigate breaches and bolster security measures.

A deliberate decision was made to withhold specific details about the nature of the recent attack, the intricacies of the Hanzestrohm IT architecture, and the particular security measures that were in place or have since been taken. This policy of limited disclosure was stated to be a security precaution in itself, aimed at not increasing the likelihood of future cyber attacks by providing potential adversaries with intelligence that could be used to plan subsequent intrusions. For individuals with further questions, the organization made its Privacy Officer available via a dedicated email address, [email protected]. Finally, Hanzestrohm extended an apology for any inconvenience caused by the incident and expressed gratitude for the understanding of those affected, acknowledging the disruption and concern such an event inevitably generates.