Article Detail

News & Knowledge

NASA Contractor Breached by Ransomware: Finally Time to Pay Attention to Your IT Security?

June 04, 2020

By: Drew Sorrell

The ransomware gang DopplePaymer announced yesterday that it had breached the network of Digital Management Inc. (DMI), a provider of managed information technology and cybersecurity services that had apparently supplied services to NASA. 

DopplePaymer claims to have stolen files relating to its work with NASA, leaking some of the files as supposed proof of the theft. The attack follows the current pattern of breach, encryption and ransom demand, with the threat being that if the victim does not pay the ransom, the data will be released. Other ransomware groups have started auctioning off such stolen data to the highest bidder if the victim doesn’t pay.

Large and medium-sized companies or those with high-profiles aren’t the only targets for ransomware. Automated systems make it easy for organized crime to cast a wide net, scanning the Internet for companies with vulnerabilities that it can exploit. Small companies are now as good a target as any other company, if not an even better one.

Small and medium-sized companies make prime targets for ransomware simply because they often spend relatively little on security, have poor backups and frequently put off updating their systems. A cybercriminal who infiltrates a small company’s system to steal and encrypt its data is able to bring the company to its knees.

Law enforcement is often busy with larger breaches and unlikely to focus on the case of a small company. Given the unsophisticated nature of the target, a cybercriminal can then extort the victim with relative impunity, making a modest sum for relatively little work.

So, are you still comfortable that your small or medium-sized company can continue to put off security as a priority? Think of it this way: an ounce of prevention is worth a pound of cure.

Here are some things you can do to be a harder target:

  1. Buy cyber-insurance today, not tomorrow. Invest in a policy that covers ransomware, wire-fraud spoofing and anything else your company and insurance broker think might be applicable.

  2. If you outsource all or part of your IT, ask the provider to point out how the contract addresses what happens if you are breached, who is responsible for restoring the systems, notifying affected customers and employees, responding to regulators and regulatory action, defending lawsuits, who pays, what their cyber-insurance policy states and whether you are covered (and have it written down).

  3. If you handle your own IT internally, then ask IT to show you:

    1. The company’s written data inventory. Maintain documentation of what data the company has, where it is kept, and how old it is. If you don’t know what you have, you cannot protect it or respond in an informed way if it is stolen (or lost).

    2. The company’s “WISP” or written information security plan. Review the plan to ensure that it covers all of the data on the inventory you just reviewed. Update it periodically, either when a material change occurs or at least yearly.

    3. The company’s data breach response plan. Know who is doing what, how they are doing it, who to call or how all of it will work. Role play different scenarios via a tabletop exercise to make sure you have thought through the problems.

    4. The company’s data retention plan. Determine what data you need to keep and for how long. A previous client that you haven’t worked with in many years is going to be upset if you notify them that their data was stolen and is being ransomed. Old data that you are not using is only a liability, not an asset—don’t be a data hoarder.

    5. The training plan. Create a plan for educating your employees about your data security, including what they need to be aware of, as well as what to do when there is or isn’t a problem (i.e., proactive security and routine security practices).

  4. Regardless of internal or external IT management, ask to see your company’s patch log. Make sure it is up to date, and if it is not, be sure to put in writing a reasonable explanation and a plan for remediation with a due date. Items that are not patched for a valid reason should then be dealt with, with a “compensating control”, i.e. something that compensates security-wise for the lack of patch. Failing to patch is a consistent theme in data breach. 

Taking the above actions will help to prevent your company from being the victim of a cybercriminal. But, there is also more you can do. Talk to your privacy and cybersecurity attorney about the details. Talk to your crisis communications specialist about the details. Make sure everyone is ready and that everyone knows what they are expected to do in case of emergency.

This article is informational only. You should consult an attorney before acting or failing to act. The law may change rapidly and no warranty is given. LOWNDES DISCLAIMS ALL IMPLIED WARRANTIES AND WITHOUT LIMITATION, ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. ALL ARTICLES ARE PROVIDED AS IS AND WITH ALL FAULTS. Consult a Lowndes attorney if you wish to establish an attorney/client relationship.

Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo