Tech hack notification delays can leave corporate customers in the lurch

Some tech companies are slow to share details about hacks of their products, leaving customers vulnerable to disruptions and uncertain how to respond as information trickles out.

Cyberattacks in which hackers target a service provider and then use that foothold to access their customers’ networks are receiving scrutiny from policy makers in the U.S. and Europe. Large-scale attacks in recent months on software companies SolarWinds Corp., Accellion USA LLC and Kaseya Ltd. demonstrate attackers’ ability to infect a large number of companies and government agencies that use the same technology products.

While companies commonly require their technology providers to disclose incidents that expose their data, many struggle to obtain details that could help them prepare for potential fallout from a cyberattack on their technology supply chain, according to legal and security experts.

“People want the most accurate concise information as soon as possible," said Pete Chronis, chief trust officer in residence at the Cloud Security Alliance, a nonprofit group that develops cybersecurity frameworks and maintains a registry of security audits submitted by cloud providers.

The danger of leaving customers in the dark about such so-called supply-chain attacks is malware can spread, disrupting their operations and those of business partners down the line. Details about how attackers accessed a software vendor, for example, could help the company’s clients know what suspicious activity to watch for and how to strengthen defenses.

However, it can take weeks or months to investigate an attack, and suppliers must balance their customers’ need for information with the intensive work required to understand how the hack happened, said Mr. Chronis, formerly chief information security officer at AT&T Inc.’s WarnerMedia.

Companies in industries such as critical infrastructure sectors may fall under cybersecurity laws requiring them to disclose cyberattacks to regulators. In the European Union, for example, many providers of essential services such as energy, transportation and healthcare must inform authorities about cyber incidents that affect their service, depending on how long the attack continues and how many people are affected.

Those companies may be more likely to disclose a breach to customers than companies that aren’t required to notify authorities, said Apostolos Malatras, a cybersecurity expert at Enisa, the European cybersecurity agency.

A July 2 ransomware attack on Kaseya affected around 60 of its customers, the company said, many of which are technology service providers with their own clients. Hackers used a vulnerability in Kaseya’s VSA administrator software to distribute ransomware to the company’s customers. Kaseya customer VelzArt, a Dutch technology company, said most of its estimated 500 customers were hit, disrupting their IT systems.

VelzArt learned about the attack from one of its engineers, who noticed that several clients’ systems went down around the same time. VelzArt employees started immediately working to repair its customers’ computers and restore clients’ service.

Kaseya issued a patch on July 11. A spokeswoman declined to respond to questions about how the company communicated with customers.

In about two-thirds of 24 major supply-chain attacks between January 2020 and July 2021, technology firms didn’t know how hackers entered their systems, or didn’t report that information to customers, according to a study from Enisa last month.

Software firms and other suppliers may lack the technical know-how to quickly understand how an attack occurred, or they may not want to notify customers until they are sure about details, said Sebastián García, an assistant professor at the Czech Technical University in Prague who contributed to the study.

Even technology companies don’t have perfect visibility into hackers’ movements, he said. Investigating a hack is “very costly, it takes a lot of human hours and tools to understand what’s going on," he said.

Lawyers and communications experts are often involved in deciding when their company should disclose a hack, he added, since making details public too soon can be dangerous if the security team hasn’t closed all openings that could let attackers back into the network. “If I go public I should be pretty sure I’m in control of the situation," he said.

Palo Alto, Calif.-based Accellion, which makes file-sharing software, said in a Jan. 12 blog post that it discovered a vulnerability in its File Transfer Appliance tool in mid-December and issued a patch to “the less than 50 customers affected." On Feb. 1, the company posted an update saying it had notified all customers using the software in December.

At least one customer, the Reserve Bank of New Zealand, didn’t receive an update from Accellion until Jan. 6, according to a report on the attack from consulting firm KPMG commissioned by the bank. Accellion also didn’t inform the bank that hackers infected its other customers who used the same software, the report said.

“This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the bank at the time," the report said.

A spokesman for the central bank declined to provide further details.

Brisbane, Australia-based QIMR Berghofer Medical Research Institute said it received its first notification from Accellion on Jan. 4, advising the institute to apply a security patch. On Feb. 2, the software company informed the institute its data was affected by the attack. The institute said in a statement in March that hackers accessed around 620 megabytes of its data.

A spokeswoman said the institute has “specific terms about data security breach notifications in its contracts with vendors" and reviews suppliers’ security policies before signing contracts.

An Accellion spokeswoman referred to the company’s prior statements about the attack and declined to answer questions about its communications with customers including QIMR Berghofer and the Reserve Bank of New Zealand.

Breach-notification laws generally require companies to inform regulators and affected people within a specific time frame when their personal data is exposed, but don’t specify that they provide details about how the attack occurred.

Corporate cybersecurity teams can work out contractual bottlenecks and communication problems with technology firms by holding yearly exercises with suppliers to practice how they would be informed about a potential data breach, said Theresa Payton, president and chief executive of cybersecurity consulting firm Fortalice Solutions LLC, and a former White House chief information officer under President George W. Bush.

Many companies’ contracts with suppliers include a requirement to disclose a breach of personal data or a service outage, but no language specifying that the supplier must notify their customer about other cyberattacks. “You’d be surprised how many times that boilerplate around cyber incident notification is missing," she said.