Logica, National Special Event: Morgan (part 2)
Applicate incident description
7th March 2012
An Applicate employee receives a warning message at 7 AMsaying that there is unusual activity in the mainframe environment; one of the InfoTorg users is trying to access a large amount of files that the employee administrates and the user account isn’t authorized to view.
The employee contacts Applicates security manager around 7:30 AM explaining that the user account is trying to access the circa 10 000 files which the employee administrates.
The security manager contacts Applicates operations manager informing him what has happended. The operations manager in turn contacts Applicates CEO to report the findings. Applicate forms a team to handle the incident. The team consists of Applicate’s CEO, the security manager and operations manager.
The Infotorg account which is being used turns out to be owned by one of the Infotorg sales people and the account is locked. The sales person is contacted to ensure that the login details are used properly and hasn’t been handed over to third party.
The operations manager contacts Logica to book a meeting for the following day.
8th March 2012
The Applicate incident team has the booked meeting with Logica around 9:30 AM, Logica’s customer manager and Logica’s security manager is present. Details are given to Logica during the meeting.
9th March 2012
It is discovered that multiple user accounts have been used in a strange and improper way. IP addresses are traced to various countries, including Cambodia, from where Infotorg’s customers usually don’t connect.
Applicate’s CEO contacts Logica’s CEO with information that Applicate suspects that there is an occurring security incident affecting Logica. Logica assigns Applicate a person who helps Applicate block suspicious IP addresses that are used to access breached accounts.
10th and 11th March 2012
Applicates incident team analyzes logfiles and suspected IP addresses and block IP addresses and user accounts that are believed to be used in improper ways.
12th March until 20th March 2012
Daily meetings are held between Applicate and Logica. Applicates incident team continues analyzing logs and blocking suspicious IP addresses and user accounts. It is noticed that the amount of user accounts being used improperly keeps escalating. On the 19th March Applicates incident team contacts the police.
21th March 2012
8:20 AM Logica informs Applicate that unaothorized logins have been made not only in SYS19, the machine dedicated to Applicate and Infotorg, but also in SYS3. It is also revealed that somebody has accessed system wide admin account, a NUS, that grants nearly full permissions to SYS3 and SYS19. Around 14:30 Applicate’s incident team finds that sensitive information owned by the tax agency has been downloaded by the attackers. The security managers from the tax agency and bailiff agency are contacted. 16:38 PM the unauthorized NUS user has a failed login attempt and around 20:00 PM intrusion attempts are detected from new IP addresses.
23rd March 2012
Starting this date the investigation proceeds with the Swedish National Police Agency and Activity Protection. Logica, IBM, Applicate/Infotorg and KPMG begin work with affected government agencies and provides them logfiles. Applicate/Infotorg begins modifying the infrastructure to prevent future attacks of this sort. Intrusions end in April 2012.
Applicate hired consultants for in total 2 000 000 SEK to work with the incident. Infotorg changed its routines for password management in its services, they changed the policy to require more complex passwords. To achieve this Infotorg hired consultants and existing staff had to work overtime. In total Infotorg has spent up to around 2 200 000 SEK to achieve this.
In addition to these costs management staff has spent time corresopnding circa 440 000 SEK. Key people in Bisnode have also had to spend time on controlling logging, following up credit investigations and troubleshooting etc. The costs for this is estimated to circa 275 000 SEK.
In total the claimed damage caused to the Bisnode group is estimated to be circa 4 915 000 SEK.
The intrusion in Applicate was reported by Axex AB, a security and risk management company. They are most likely the consultants that were hired for 2 000 000 SEK to gather evidence. There is therefor reason to believe that Axex has conducted surveillance on people living in Cambodia as part of the investigation.