Cyber Incident Victim: London & Zurich
Date:
Nov 2023
Location:
United Kingdom
Summary
A ransomware attack on a UK-based direct debit provider caused major operational disruptions, leaving multiple customers unable to process payments and accruing six-figure backlogs. The incident led to severe cash flow issues, forcing at least one business to seek emergency loans while others faced payroll uncertainties. Communication during the outage was criticized as inconsistent and unclear, with conflicting restoration timelines causing further confusion. The company rebuilt its compromised environment in a new infrastructure, gradually restoring services including API functionality and customer portals over several weeks. Payment schedules dating back to the initial breach required resubmission, with partial recoveries processed days after collections. While confirming containment and third-party forensic involvement, the firm declined to disclose potential data compromises, attacker identities, or initial breach vectors. The prolonged outage particularly impacted businesses during critical financial periods, highlighting systemic vulnerabilities in payment processing intermediaries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack on London & Zurich began impacting systems on November 8, 2023, when payment schedules created after 18:30 UK time failed to back up. The company first acknowledged service disruptions on November 10 at 09:19 local time, initially describing "access issues" before escalating the status to a "major service outage" within two hours. Customers were warned that payment collections might remain offline until November 13. The incident was confirmed as a ransomware attack on November 14 through company communications that disclosed engagement with third-party cybersecurity experts and regulators. Attackers compromised at least one server environment, forcing London & Zurich to terminate unauthorized access and begin rebuilding systems in a new, clean infrastructure. The outage prevented customers from processing direct debit payments, creating immediate cash flow crises—one managed service provider accumulated a $124,000 backlog, while others faced payroll funding uncertainties requiring emergency measures like short-term loans and director financing.
London & Zurich's response involved daily status page updates starting November 11, though customers reported inconsistent messaging—particularly regarding restoration timelines. While the status page indicated a November 23 return for the customer portal, conflicting emails suggested payment collections wouldn't resume until November 28. The company prioritized restoring its API service first, achieving full functionality before addressing remaining systems. By November 19, they processed payments from November 9-12, with November 14-22 transactions scheduled for same-day processing on November 24. Password rotations for all customers occurred on November 21 in preparation for portal reactivation. The rebuild process extended through November 23, requiring customers to resubmit payment schedules and new client registrations initiated after the November 8 cutoff. Operational impacts extended to major clients including the Eden Project and ICPA, highlighting London & Zurich's role as a critical intermediary for direct debit processing between businesses and banks. The company maintained throughout that no other environments beyond the initial compromised system were affected, though investigation into potential data exfiltration remained ongoing as of their last public statement.