Ryanair has today confirmed that a fraudulent electronic transfer via a Chinese bank resulted in the theft of £3.3m from one of its company accounts.
Following the discovery of the fraud last Friday, Ryanair reportedly asked the Crimminal Assets Bureau in Dublin for help in getting the stolen funds returned via counterpart agencies in Asia.
The budget airline said in a statement to the Irish Times: "Ryanair confirms that it has investigated a fraudulent electronic transfer via a Chinese bank last week."
"The airline has been working with its banks and the relevant authorities and understands that the funds – less than $5 million – have now been frozen.
"The airline expects these funds to be repaid shortly, and has taken steps to ensure that this type of transfer cannot recur.
With little information given about who was behind the hack or how the scam was operated, CBR has turned to industry experts to outline the many lessons that can be learnt from this cyber theft.
1. Do not underestimate the hustler
Catalin Cosoi, Chief Security Strategist at Bitdefender, said: "This latest hacking scam serves as a perfect reminder of just how skilled and motivated cyber criminals are, especially when large amounts of money are involved.
"The fact that large companies are now targeted should indicate that cybercriminals have upped their game and are more interested in going for big scores. If end users were the primary sources of income until now, we might be witnessing a paradigm shift in how these online "hustlers" operate."
2. Focus is now on the big bucks
Aleks Gostev, Chief Security Expert at Kaspersky Lab GReAT Team, said: "The days when cybercriminal gangs focused exclusively on stealing money from end users are over.
"Criminals now attack businesses directly because that’s where the big money is. We don’t have specific technical details about the cyberattack on Ryanair or about how the money was actually stolen, but, based on our experience, fraudulent electronic transfer via a bank is a realistic scenario.
"In February this year we reported on the "Carbanak" cyberattacks that included financial institutions worldwide among its targets and resulted in the theft of up to one billion US dollars – some of it transferred to banks in China as well. For business sectors other than financial services, the attackers could probably transfer money to fraudulent accounts through online-banking or E-payment systems."
3. Cybercrime is changing – intel must be shared
Alan Carter, Cloud Service Director at SecureData said: "I wonder if it is a hack in the traditional sense? With little information about what happened, it is quite conceivable that this was an inside job, or carried out by someone who knows their systems intimately.
"When we speak of hacking we generally mean people breaking into computer systems, is this just a modern method of breaking into banks? I certainly think so and it is a lot easier than spending a bank holiday weekend drilling into safety deposit boxes in Hatton Garden with pretty much no risk of getting caught.
"I think this is the way the criminal element is moving, away from street crime, burglary etc and other forms of ‘traditional’ stealing due to the huge rewards and minimal risk. If indeed the money was transferred to China, then the chances of finding the culprits is pretty slim.
"It also shows the need for an obligatory reporting system in the case of cybercrime, if we do not share details of attacks and breaches with other businesses, then how can we and the security industry at large learn and understand from them? I suspect very few businesses would cover up a physical attack on their infrastructure, so why do they do it for a cyber attack?"
4. CSOs: Recognise your responsibility
Rob Norris, Director of Enterprise & Cyber Security Fujitsu UK&I, said: "As the sophistication of security threats continue to increase, it has never been more important for organisations to have the appropriate tools and services in place to protect themselves from fraud.
"The amount of data and confidential information that is transacted every day, coupled with the growth in reliance on digital services, means that many businesses are at risk – making them an easy target in the eyes of a cyber-criminal.
"Organisations can no longer afford to make mistakes in security and should look to make fraud security part of its security programme. By communicating from the top down what cyber security means to its business, CSOs can help all employees to recognise their responsibility in ensuring the company is adequately prepared to manage threats.
"As well as this, CSOs should act as the "business enabler" by making sure that business runs as usual and everything is secure by default."
5. Loose ends must be cleaned up
Chris Sullivan, VP Advanced Solutions at Courion, said: "Organisations should be deploying identity analytics and intelligence solutions that will allow them to clean up loose ends like abandoned account or orphan accounts that have no administrative oversight, or those accounts that have more access rights than are really warranted.
"More importantly, identity analytics can enable an organization to continuously monitor for unusual access behavior within privileged accounts so that a hacker, once in, can be detected more quickly and hopefully stopped in his tracks.
"To this point, the Verizon DBIR stated that "75 percent of detection took weeks," and "We need to close the gap between sharing speed and attack speed." I couldn’t agree more with the latter."
6. Use big data to its full potential
Alexon Bell, Compliance Solution Director EMEA & APAC at SAS, said: "The Ryanair hack illustrates the vital need for banks and enterprises to stay one step ahead of the fraudsters. With fraud levels surging around the world, banks are facing greater regulatory scrutiny, as well as the risks associated with damaging publicity from fraud, so the ability to correctly make these split-second decisions – before the fraud occurs – is more important than ever.
"Real-time fraud detection using data analytics is already available, so these kinds of losses are preventable. Unfortunately, many companies are still not using big data to its full potential. Instead, they are effectively opening themselves up to these attacks by relying on manual processes or simple rules-based systems which are no longer adequate detection solutions.
"The funds may be repaid this time, but it should serve as a further wake-up call to all global enterprises that prevention is always cheaper than cure."
7. Adopt a secure breach approach
Paul Hampton, Payment Security Expert at Gemalto, said: "It’s vital for businesses to protect their customers’ data as early in the transaction process as possible by moving to a framework that is centred on the data itself.
"This means adopting a ‘secure breach’ approach to data protection which focuses protecting sensitive data wherever it exists. Rather than focusing on specific points of vulnerability, end-to-end encryption secures data from the earliest possible moment of its capture, ensuring that data remains in an encrypted state consistently until it arrives at the payment gateway.
"However, encryption alone is only part of the solution. Organisations should invest in a standards-based enterprise key management strategy that should include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for them as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who could then access cardholder data.
"Being breached is not a question of "if" but "when". Long term security — as well as business success — will hinge on an organisation’s ability to more comprehensively and strategically manage its security efforts.
"Only by adopting a data-centric approach that leverages the cloud to secure sensitive information across its entire lifecycle, can companies be safe in the knowledge that their data is protected, whether or not a security breach occurs."
8. Educate your employees
Guy Bunker, SVP Products at Clearswift, said: "This just goes to show that businesses have to be extraordinarily careful over even the most obvious of items – like bank accounts, transactions and money. As business processes become ever more complex the opportunity for fraud created through social engineering also increases.
"There was a trend a couple of years ago with fake invoices (or ‘real’ invoices with changes in bank details for direct transfer payment) which were then followed up aggressively in order to get them paid. This appears to be a similar type of attack.
"Training and awareness are key to help employees to understand and recognise this type of threat and then have a process to act accordingly. Furthermore, this education must not be a one-off, it needs to be constantly reinforced, and where possible backed up with policies and technologies in order to reduce the risk."
9. Secure your supply chain
Richard Brown, Director EMEA Channels & Alliances at Arbor Networks, said: "You can have the tightest cybersecurity available, but as an organisation if you haven’t assessed the weaknesses in your supply chain, and where indirect attacks might come from, then it’s like locking your front door but leaving all your windows wide open.
"Now Ryanair is the latest organisation to fall victim to a supplier’s lack of security. All organisations have a supply chain – some larger than others – but very few do the checks necessary to make sure they don’t present a security risk.
"Often we see hackers target customer data within an organisation – but this is a reminder that attacks happen for a wide range of motivations. This time it was financial. Although it seems customer details are safe, it is still worrying that Ryanair was compromised. When this happens, reputational damage is often just as harmful as the actual physical loss. Whether Ryanair is directly to blame or not, just by association this will tarnish its already questionable reputation."
10. Consider cyber liability insurance
Ken Munro, Senior Partner at Pen Test Partners, said: "In the case of Ryan Air, the thieves chose a plausible spend – fuel – to siphon out the money and this brings us to another common method of fraud: invoicing.
"A letter or email arrives at accounts payable stating the bank details have changed for a large supplier. No one verifies it, and the next payment goes to the fraudster. We can usually find out how the breach happened (generally a phishing email to accounts payable, stealing banking passwords) and help mitigate future attacks but nine times out of ten the cash is unrecoverable.
"In many cases, just like Ryan Air, the funds have already been transferred to other countries. For those without the clout of Ryan Air, first party cyber liability insurance can help recover these sums, indemnify the business and ultimately prevent it from going bust."