The German supermarket chain "tegut" was recently the target of a cyberattack (source in German) and on April 24 the company activated emergency procedures that shut down their entire central IT network and disconnected it from the internet. While done to limit the exposure of sensitive data, these measures also had side effects including gaps in their supply chain and other services that lasted for weeks. Despite these mitigation efforts, the attackers have already begun to publish company and customer data on the dark web.
Tegut is a Swiss-owned supermarket chain that operates about 280 stores across central and southern Germany. They have had an annual turnover of over 1 billion EUR every year since 2017.
What kind of data was affected?
According to a press release from May 27, the attackers began publishing answers that customers had given to market research surveys, primarily those who were members of their customer rewards program "GuteKarte". The leaks also included personal data, including home addresses, email addresses, and telephone numbers.
A week before that, it was announced that company data had been published online. According to the press release from May 18, it could not be ruled out that the affected company data included personal data of employees.
What services were affected during the shutdown?
Due to the emergency shut down, customers and employees experienced the following issues:
- The email server was shut down so requests couldn't be sent to the company per email. This service was restored on May 9.
- Certain products were unavailable for a time because the central logistics program was taken offline and wasn't able to automatically process the need for restocking. Stores had to manually track their stock and, while the email server was shut down as well, restocking orders had to be placed via telephone.
- Most types of gift certificates couldn't be purchased or processed for payment until May 21.
- Certain areas of their website had to be deactivated, including the customer login portal, which came back online on May 25 and required customers to change their passwords.
What motivated the attack?
The company has suggested that the incremental release of the stolen data by attackers is intended to increase "pressure" on them. In the press release following the second publication of stolen data, the company's CEO commented (translated from German), "we will not reward criminal activity and we will not enter into negotiations with criminals. It is clear to us that the attackers are now increasing the pressure on [our company] and want to provoke uncertainty among our customers, employees, and suppliers in order to assert their demands." It was not revealed in the press release what those demands are.
How has the company responded?
- Emergency protocols were activated on April 24 which involved shutting down the company's central IT network and disconnecting it from the internet.
- Since then, regular press releases have been published and chronicled on their website.
- Customers were asked to change their passwords before logging back into their online portal.
- The breach has been reported to the authorities and affected customers have been notified.
- A new logistics app has been released ahead of schedule that enabled stores to begin restocking their shelves as quickly as possible.
What can organizations do to mitigate attacks like this?
The number of data breaches continues to rise. According to ENISA's Threat Landscape 2020, the total number of breaches by midyear 2019 increased by 54% compared to midyear 2018.
Cybercriminals are constantly looking for new ways to breach organizations and are finding ways to exploit value from any kind of data they are able to access. While payment card data is often the main focus, hackers will also resort to using personal data from customers to blackmail organizations.
Whether the concern is accidental exposure or external attackers like in this scenario, the best strategy is to assume that sooner or later, sensitive data at your organization is going to be compromised, one way or the other. That is why the focus shouldn't solely be on protecting the containers that data is stored in, but rather the data itself should be protected in a data-centric security approach. That way, in the likely event of a breach, attackers will find themselves in a proverbial empty vault full of obfuscated data with no exploitable value.
A data-centric security strategy starts with the assumption that the organization has already been compromised and therefore, whenever possible, sensitive data must be protected throughout the organization wherever live data had been used formerly. In many situations, live data can be replaced with operationally and functionally equivalent data elements that still enable operations and analytics, yet have no discernable value to any person who may gain unauthorized access to them. The outcome is that attacks and accidental exposures are more difficult, detectable, and manageable than they are with the traditional perimeter based defenses, monitoring, and controls.