Cyber Incident Victim: ISS World
Date:
Feb 2020
Location:
United Kingdom
Summary
A ransomware attack targeted ISS World, a major facilities company with half a million global employees, disrupting IT systems and forcing websites offline. The malware encrypted infrastructure, leaving 43,000 staff at key UK locations without email access while broader operations were affected company-wide. Recovery efforts coordinated from Denmark involved cybersecurity experts and law enforcement, with partial system restoration achieved during ongoing response activities. The incident reflects ransomware actors increasingly prioritizing high-value enterprise targets over individual users to maximize extortion payouts, though specific ransom demands or payments remain undisclosed. Core services to customers reportedly continued despite operational challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyber incident impacting ISS World began on or around February 17, 2020, when the multinational facilities company experienced a widespread IT system disruption. Attackers deployed malware identified by ISS as ransomware, which encrypted critical infrastructure and rendered company websites inaccessible. The attack caused immediate operational paralysis for 43,000 employees across two major UK sites – London's Canary Wharf and the Weybridge headquarters in Surrey – who lost email access and computer functionality. While ISS initially described the event only as a "malware" attack, external reporting confirmed ransomware's involvement, a malicious software category designed to lock users out of systems until payment demands are met. This incident affected ISS's global workforce of 500,000 employees, though many frontline staff performing cleaning, catering, and security duties didn't rely directly on compromised IT systems for daily tasks.
Recovery operations were coordinated from ISS's Danish headquarters, where cybersecurity specialists collaborated with Danish law enforcement agencies to restore systems. By February 20, partial restoration progress had been achieved with certain systems returning to functionality while core customer services continued operating despite ongoing disruptions. The attack exemplified contemporary ransomware trends where criminal groups increasingly target large organizations rather than individual consumers, seeking substantially higher ransom payments that sometimes reach millions of dollars. Law enforcement entities including Europol and the FBI maintain consistent advisories against paying ransoms due to concerns about perpetuating criminal enterprises, though organizations facing existential operational threats must weigh complex response decisions. ISS's incident response prioritized system recovery while maintaining essential client services throughout the disruption period.