By Joe Tidy
Cyber correspondent
More than 100,000 people have been warned their personal data is in the hands of cyber-criminals as a result of a continuing mass hack.
The BBC, British Airways, Aer Lingus and Boots are among the companies whose staff have been affected by the MoveIt data breach.
And more organisations are expected to issue staff warnings, as the extent of the breach is discovered.
But what action can those caught up in mass hacks take?
Don’t panic
In the early stages of an attack such as this, the most pressing advice is aimed at the organisations.
Hackers are not interested in going after individuals – it is too time consuming and they care about one thing only, getting paid.
And they will probably send ransom demands to the organisations breached, asking for the cryptocurrency Bitcoin.
“The important message to organisations right now is not to panic, to install the security patch and not to pay the criminals,” former National Cyber Security Centre lead Prof Ciaran Martin says.
But once an organisation has been breached, the hackers have the upper hand.
And the criminals thought to be responsible for the MoveIt hack are notoriously ruthless with their extortion techniques.
Don’t pay
The hackers often take time to consider their extortion tactics.
“Some prior incidents involving these criminals have seen victims not contacted until weeks after data was stolen – so if you don’t hear from them in the coming days, you are not in clear,” Mandiant Intelligence senior manager Kimberly Goody says.
The group, thought to be based in Russia, will then contact a company email address, demanding payment not to publish the stolen data online, Mandiant research suggests.
These demands are usually in the seven- or eight-figure range, Mandiant experts say, but there have been ones over $35m (£28m).
And law enforcement agencies around the world advise organisations not to pay, as it fuels the growth of these criminal gangs.
Be suspicious
For individuals, the advice is also not to panic but to be suspicious.
If your organisation refuses to pay the criminals, there is a good chance they will publish the data on the dark web or try to sell it to other hackers.
But there are many steps between that and you losing money.
“There really is an important message not to panic, as it’s very unlikely that organisations have been storing data like full bank details which can lead directly to sort of financial harm,” Prof Martin told BBC Radio 4’s Today programme.
And although some organisations, such as British Airways, say some staff bank details have been stolen, this was highly unlikely to lead to individuals’ bank accounts being drained.
The risk, experts say, is from secondary attacks, where hackers use the details they have to trick victims into revealing more details.
So the advice is to look out for suspicious emails and phone calls – particularly ones about the hack.
Don’t log in
In a typical scam, individual victims might receive a message claiming to be from their organisation, asking them to log in and verify their account because “fraudulent activity has taken place”.
Things to look out for, experts say, include:
- official-sounding messages about “resetting passwords”, “receiving compensation”, “scanning devices” or “missed deliveries”
- emails full of “tech speak”, designed to sound more convincing
- being urged to act immediately or within a limited timeframe
The MoveIt breach is likely to become more serious as other companies discover they have been hacked – but, experts say, data stolen in previous hacks has been published in an obscure corner of the dark web, with little consequence to individuals.