What do David Beckham, Oprah Winfrey and Donald Trump have in common? Well, apart from the fact they have huge piles of cash at their disposal, they also each like to spend that cash at exclusive ‘rich people’ establishments like the London-based diamond specialist, Graff. Though, I bet they wish they hadn’t, as the jewellery firm is currently at the centre of a massive virtual heist! As a cyber security consultant, this hack naturally caught my attention due to the high-profile customers whose information is at stake.
The celebrities I mentioned are just three amongst many powerful, wealthy and famous people that have bought luxurious jewels from Graff and are now at risk of their private data being leaked to the public. This could prove to be incredibly embarrassing and/or reputationally damaging as client lists, invoices, receipts and credit notes could all provide evidence of these high-society flyers buying gifts for secret lovers or taking jewellery as bribes. Not to mention private details like their home addresses and credit data being revealed to the masses.
The hackers have already published 69,000 records belonging to 11,000 of the jewellers’ A-list customers on the dark web – frequented by terrorists and criminals who could potentially use the data for theft, extortion or blackmail. And that’s just 1% of the data they have at their disposal. Unless the tens of millions of pounds in ransom money is paid, they will keep publishing more data.
How did the hack happen?
Now, I love a classic heist story as much as anyone (hello Catherine Zeta-Jones in Entrapment), but in this cyber age, it’s less about hackers trying to limbo their way through lasers to bag themselves millions and more about gaining access to private data to use as leverage for a hefty ransom.
Whilst an investigation from the Information Commissioner’s Office (ICO) is still underway, cyber experts are speculating that it is likely the hackers gained access to Graff’s private files by sending a phishing email to an unsuspecting member of staff. Unfortunately for them, they would have unknowingly opened a file containing a sophisticated ransomware computer virus to infect the rest of the firm’s IT infrastructure and database.
Once this ‘back door’ entry was open, there was no stopping the hackers from bypassing any anti-virus software or firewall and stealing the company’s data.
Who’s behind the hack?
Word on the street, and by that, I mean the internet, is that the attack is the handiwork of the notorious Russian hacking group called Conti, believed to be based near St Petersburg. The group has built up quite a reputation for itself, having been blamed for over 400 attacks on US and international organisations to date. The CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have even released a joint Cybersecurity Advisory (CSA) to warn organisations of the increased Conti ransomware attacks.
Conti stepped onto the scene back in May 2020 and has been causing havoc ever since. Whilst it shares some similarities with other ransomware malicious actors, it’s undergone rapid development since its discovery putting it top of the list for ones to watch out for. Conti is human-operated double extortion ransomware that’s known for the speed at which it can deploy and encrypt its target victim’s data systems. By getting in there quickly, Conti can steal and threaten to expose data as well as encrypt it before most organisations have even noticed.
What do they want?
In Graff’s case, the Conti hacking gang has already made a demand for tens of millions of pounds in ransom money. However, some cyber experts believe Conti will demand to be paid in either a cryptocurrency like Bitcoin or in jewels that could be later sold on the black market. Why not cold hard cash? Simple. Cryptocurrencies or jewels are much harder for authorities to trace back to individuals.
How has Graff reacted?
I can only imagine the panic and stress Graff staff members are going through right now, but as a company, it is, of course, doing all it can to protect its reputation and that of its wealthy customers, too.
Talking about Conti’s hack, a spokesperson from Graff, said: ‘We were alerted to their intrusive activity by our security systems, allowing us to react swiftly and shut down our network. We notified, and have been working with, the relevant law enforcement agencies and the ICO.
‘We have informed those individuals whose personal data was affected and have advised them on the appropriate steps to take.”
The jewellery specialist also said that it has been able to rebuild and restart its systems within days without suffering any irretrievable loss of data. This is all well and good, apart from the fact that Russian hackers also have access to that same data at their disposal…
How could the attack have been avoided?
If we take the word of the cyber experts as gospel and believe that the hackers gained access to Graff’s files by duping a member of staff into opening a malicious email, then clearly the staff all need educating on practising proper cyber security hygiene. Education and training on what to look out for in phishing emails would be a great start if they haven’t begun to do so already.
But equally, we’ve got to look at the inadequate security infrastructure that Graff has in place. Whilst I’m clearly not part of its wider cyber security team, I have several years of experience consulting my own clients on their security needs. And one thing that keeps popping up is ransomware attacks that not only steal data but also encrypt it – just like what’s happening with Graff.
Most current security solutions rely on legacy encryption methods which hackers are finding easier and easier to decrypt as time goes on. And when they gain quantum supremacy? Well, it’s game over.
If organisations want to keep their private data private, then they need to upgrade their current security systems with encryption that’s not only safe today, but permanently quantum-safe too. Luckily, I came across Arqit, which has developed a solution called QuantumCloud. It works by creating one-time, zero-trust symmetric key encryption keys at endpoints across all devices, and since discovering it, I’ve been recommending it to all my clients. Now, if only Graff had been one of them!