Staples Canada in Oakville, Ontario
Thanksgiving weekend brings many things to be grateful for after the feast, including notable deals from your favorite online retailers on Cyber Monday. While most of us were busy filling our online shopping carts on November 27th, Staples, the office supply retail giant, took down numerous systems in response to a cybersecurity incident. The company released a statement on their website on November 30th citing that they were acting to mitigate the impact and protect customer data. These proactive efforts caused disruptions to multiple mission critical business processes – online orders, deliveries, communication channels, and customer service lines.
Staples recovered online orders and delivery operations by Thursday November 30 and notified customers that orders for November would be completed by Friday December 1st. However, they are still experiencing disruption with their communication channels and customer service lines, according to their status page. While it has not been confirmed whether or not customer data has been breached during this attack, the timing of the incident speaks for itself. Attackers were able to compromise the operations of a retail giant during one of the largest online retail days of the year. It continues to highlight the increase and relevance of cyber attacks on critical business operations.
What do we know about the attack?
The details of this attack have still not been revealed but Staples has confirmed that no ransomware was deployed and no data was encrypted due to their actions. According to Reddit reports on Monday 27, individuals claiming to be employees reported that numerous internal systems were down including Zendesk, VPN employee portals, print emails, phone lines, and more. There are other unconfirmed reports that employees were instructed not to use Microsoft 365 Single Sign On and that call center employees were sent home for two consecutive days.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
As mentioned earlier, Staples quickly reported on their website that many services may experience disruptions as they act to protect customer data. Though this is not the first major cyber incident Staples has faced – earlier this year starting on March 6th, Essendant, a wholesale supplier owned by Staples, had a multi-day outage that disrupted the supply chain. Lockbit ransomware claimed the attack over a week later and customers were reported to be frustrated online due to the lack of transparency. Essendant confirmed they were impacted by ransomware on March 17. In 2020, Staples suffered from a data breach of customers purchase history after a vulnerability exploit. It is reported that it took the company close to two weeks to solve the issue and notify customers after the breach was reported to them.
Earlier in their history, in 2014, Staples was reported to have had patterns of credit card fraud that suggested a data breach, which was later confirmed as a breach that impacted over 1.1 million different payment cards. The following year a software, PNI, acquired by Staples was breached exposing major customers like CVS, Rite Aid, and CostCo. In the aftermath of this breach Staples stock price fell along with a loss in market share.
Although Staples is now a privately held company, they quickly and transparently reported their most recent cyber incident within 3 days. Swift disclosures are being seen more and more especially in the recent past after increasing pressures from investors and the general public to make prompt public disclosure an industry best practice. Organizations are learning from the past adverse impacts and the rising consequences of withholding cyber attack information from shareholders, regulators, and customers.
Our Key Takeaways
1. Continued Attacks on Business Operations
- Attacks on availability of operations seem like they will only continue to grow and persist based on recent trends. As we have seen in major recent attacks like MGM Resorts, Prospect Medical Holdings, DP World, Ardent Health Services and Clorox, the target is no longer just cyber breach. Attackers have their sights set on bringing down major business processes of their victims to increase their ability to hold C-suite hostage and ask for higher ransom payments. In this case they took down online orders and customer service business processes on one of the most heavily trafficked online shopping days of the year. These displays of destruction can lead to quicker ransom payments and more notoriety making them more and more attractive to hackers.
Businesses need to focus on building and maintaining resilience of mission critical operations to drive their cybersecurity strategy to combat and limit the potential of future cyber attacks.
2. Hacking Away at the Holidays
- Every year beginning in November organizations are warned to prepare themselves for cyber attacks in the coming months. Hackers capitalize on the holidays for many reasons. One being the reputational impact especially for retailers, at this time. The traffic of shopping and online ordering for the gifting season ahead makes many retailers profitable at this time of year. A cyber attack is detrimental for operations and revenue at this time likening the prospect to hackers. Another major motivator for attacks during the holiday season is the gaps in staffing around the holidays. Many people take off time during November and December including the members of the security team. Vigilance and reaction times tend to Increase leading to greater success and impact of incoming attacks.
3. Disclose Now, Remediate Later
- At the time of writing this article, we have very few details about the nature and cause of the attack but it has been disclosed to the public for over a week even before key systems were restored. In the information age it is becoming more and more important to remain transparent about cyber attacks. Criticism and financial consequences are quickly increasing from regulatory rules coming into place like SEC rule on Material Incident Disclosure, NYDFS Amended Cybersecurity Regulation, and NCUA’s Regulations to name a few. Shareholders and investors are also becoming major drivers as cyber incidents continue to make material financial impacts to organization’s share prices and increasing class-action lawsuits by the customers. Time will tell whether early disclosure will lessen these impacts, but we have seen many more timely disclosures in the past few months.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
Conclusion
As we enter the holiday season we should expect to see more and more destructive cyber attacks. Staples shows that even a major retailer that operates close to 1000 locations can have its key business processes critically impacted by a cyber attack. In the age of online shopping, it is apt that organizations create a secure and resilient digital environment to support their operations.
While the details of this attack will continue to be revealed, its impact was made clear by the disruption of services on Cyber Monday and throughout the following days.
In a time when cyber breaches seem inevitable for all organizations, business process resilience built through cybersecurity defense in depth strategies and business risk led cyber risk governance is going to differentiate organizations from winners and losers.
Clorox was the leader in their industry on the Forbes list for most secure companies, but they ended up with a major breach costing millions and billions of dollars because it was not just a breach, it was an attack on critical business operations. Let this incident among many be a lesson to urge organizations to see beyond just cyber breach risk and focus on operational resilience by layering defenses to protect their critical business processes.
Resources
Note: This blog post is based on information available as of Dec 7th, 2023, from various news sources. The situation might evolve, and readers are advised to stay updated through official channels.