On 30 January 2020, the French construction company, Bouygues Construction, was hit by a ransomware-type attack on their computer network. In subsequent press-releases Bouygues reported that it had taken all of its information systems offline as a precautionary measure to prevent further propagation of the attack, and advised that operational activity on its construction sites had not been disrupted.
It has been reported that the cyber crime group, Maze, were behind the ransomware attack, with personal data relating to Bouygues employees, including names, home addresses, phone numbers, social insurance numbers, banking details and drug test results, being published online.
Ransomware is a type of malicious software where cyber criminals are able to lock and encrypt a victim’s computer or device data and then threaten to publish private data or block access to networks until a ransom is paid. Whether or not to pay the ransom will require not only a careful assessment of relevant legislation, but also strategic considerations including reputational risk and whether payment might ultimately expose the company to further risk. Organisations that gain a reputation for paying ransoms often become the target of future demands, and indeed payment may not guarantee that the cyber criminal will actually restore access to the data.
Bouygues Construction is one of the biggest construction companies known to have suffered a ransomware attack, and it would seem that this was not an isolated incident: Maze reportedly struck a Canadian construction contractor before hitting Bouygues. These attacks are a salutary reminder to the construction industry that it should not be complacent as to the risk of cyber attacks. The construction industry is increasingly dependent on technology, not only for its own daily operations to manage efficiencies and health and safety on site, but also for greater connectivity with clients, vendors and other stakeholders, by way of building information modelling (BIM) and other integrated common data environments. These represent not only a potential treasure trove of data for criminals, but also provide attractive opportunities for cyber criminals – from controlling critical services, to the theft of trade secrets.
The impact of attacks is rarely limited to the company that has been hacked. Attacks such as a denial of service (DOS) can cripple a company from processing data causing vendor payments to be stopped. Employees can be affected if the company is unable to process payroll and employees fall behind on their own liabilities and the shutting down of internet access may prevent companies from submitting bids and potentially losing vast amounts of revenue. Indeed, contractors are not necessarily targeted for their own data, but as a means of obtaining access to their client’s data or systems.
Regulators expect organisations to prevent attacks. But, given that even the most secure organisations can still suffer successful attacks, there is an increased emphasis on organisations’ ability to respond to, recover and learn from attacks quickly. Rapid detection and containment of any cyber incident is essential and any measures to protect an organisation should include a way to deliver prompt and effective incident response, which can do much to mitigate the harm any attack might cause.