Executives who handled cyberattacks at LastPass, SolarWinds and Accellion share tips on planning for and responding to an incursion.
Karim Toubba was a few months into his new job as chief executive officer of LastPass US LP, which allows customers to store and manage passwords, when he learned that his company had been hacked. Two weeks later, in August 2022, he published a blog post saying that while the hackers had stolen some source code and proprietary technical information, there was no evidence that access was given to customer data or encrypted password vaults.
Crisis averted—until the hackers returned, using information stolen in the earlier attack to obtain encrypted usernames and passwords, among other data. That development, revealed in a blog post by Toubba days before Christmas, prompted waves of criticism and a Wired story entitled “Yes, It’s Time to Ditch LastPass.”
The ordeal placed Toubba into a growing fraternity of executives who’ve helmed companies through a cyberattack, a grinding experience that can drag on for months. Some customers abandoned LastPass after the attacks, but the company says it’s now close to pre-incident numbers, which it declined to provide.
Toubba says his company got many things right in responding to the hack but could have done better in some areas, such as communication. His team continues to review the response, looking for ways to refine processes. “Improvement to those kinds of things is a never-ending game,” he says. His message to other CEOs who may find themselves in a similar position? You won’t be judged for being hacked, but you will for how you respond.
Executives, security professionals and lawyers who have worked through hacks say that while every situation is different, organizations can take measures to respond to a crisis and help mitigate the damage. For starters, it’s critical to have an incident response plan in place. It must account for worst-case scenarios and be rehearsed by relevant parties including the C-suite beforehand, or it’s “truly just a piece of paper,” says Erez Liebermann, a partner at Debevoise & Plimpton who helps clients prepare for and respond to breaches.
Organizations should also remain flexible. Company executives may have decided never to pay a ransom demand, but what happens if the hackers call and threaten a customer or a family member? “As Mike Tyson said once, ‘Everyone’s got a plan until you get punched in the mouth,’” says Liebermann. “That’s true in cyber.”
Many big companies now have teams with cyber expertise on retainer so they don’t have to go searching for help when they are hacked. That can include lawyers, forensic investigators, crisis communication experts and a ransomware negotiator. This helps to calm fears in the early days of an attack while establishing a structure and a path forward.
Communicating to customers, employees and the general public about the breach requires careful calibration: Providing too little information could prompt a backlash, while giving too much too soon can cause headaches if it later ends up being inaccurate. The facts around hacks are hazy in the first few days and may change. Planning for potential messaging in a breach can help.
“Forensic investigations are messy,” says Kim Peretti, leader of Alston & Bird’s global cybersecurity practice. There’s pressure to provide details early on, when the full picture might not yet be known. “Your goal is to really create outward trust with customers or consumers that generally you have a structure, you know how to respond to this incident, even if you don’t know how it’s going to unfold,” she says.
Leaders responding to an attack may also benefit from contacting the proper government department, such as the FBI or the Cybersecurity and Infrastructure Security Agency in the US. They may have knowledge on intrusion techniques—or on the hackers themselves—that can inform the response and recovery and help prevent further attacks. Still, fewer than a quarter of cyber intrusions are reported to the US government, which limits authorities’ ability to prevent further intrusions.
SolarWinds Corp., a Texas-based company that makes popular IT management software, has become synonymous with one of the most advanced hacks in recent memory. An investigation into the attack, which occurred in 2019 and 2020, determined that Russian state hackers had infiltrated as many as nine US government agencies and about 100 companies via SolarWinds and other methods.
The company had been prepared with an incident response plan it had tested. It also brought in outside experts, including cybersecurity firm CrowdStrike Holdings Inc. and the law firm DLA Piper, and worked with the government. Tim Brown, SolarWinds’ chief information security officer (CISO), says all that “started us down the right path,” but the plan couldn’t have accounted for the scale of the attack. The hackers had installed malicious code in an update for SolarWinds software that allowed them to further infiltrate the systems of customers who uploaded it.
Brown says he learned about the attack on the morning of Dec. 12, 2020. Because the hack had been leaked to the press, the company had only a day before it became public, giving officials little time to investigate and prepare a statement, he says.
SolarWinds initially reported that fewer than 18,000 customers may have received the malicious update, a figure that stuck in news stories for some time. In the end, the investigation concluded that the hackers had infiltrated far fewer. “That would have been a very different outcome from a story perspective,” Brown says. “But we didn’t have the time to be able to understand everything at that point.”
Nonetheless, the company’s openness about the breach has paid off, as most of its customers have come back, he says. Brown says he fields questions from other CISOs wanting to glean knowledge from his experience. He says they ultimately want to know: “What do I need to learn so that, you know, I don’t get fired during one of these events?”
Jonathan Yaron, CEO of Kiteworks, a California-based company that makes software to share sensitive files securely and in a way that complies with regulations, has his own scars from a cyberattack. In December 2020 his company, then called Accellion, was the victim of a supply chain hack that started when hackers exploited flaws in 20-year-old software that was primarily used to transfer large files. Those flaws were patched by the company, but hackers returned and exploited two other vulnerabilities in the software. Ultimately, less than 100 customers were hacked, but roughly 25 suffered significant data theft, according to the company. The hackers later used the data to extort victims.
Accellion settled a class-action suit for $8.1 million without admitting wrongdoing. Similarly, SolarWinds settled a class-action suit for $26 million without admitting wrongdoing. LastPass is also facing legal claims; the company says it is unable to comment on pending litigation.
One thing Yaron says he learned: Don’t put up with customers who won’t patch software. Prior to the attack, he says, Accellion offered incentives for customers to upgrade from the old software, then penalized them for not doing so. But some refused to budge. Kiteworks no longer offers that product. Going forward, it now asks customers to patch software flaws quickly and doesn’t want their business if they don’t do so within a year. “You either upgrade or go someplace else,” Yaron says.