Portuguese energy giant EDP has confirmed in a letter to customers that it suffered a ransomware attack in April that resulted in hackers gaining access to information stored in its computer systems.
The confirmation comes over a month after hacker group Ragnarok claimed it had downloaded more than 10TB of private information from EDP group servers, Most of the stolen data included EDP's contracts, billing, transaction and client details, and the hackers were able to access these after using the RagnaLocker ransomware to gain access to the company's network.
"We had downloaded more than 10TB of private information from EDP group servers. Below just a couple of files and screenshots from your network only as a proof of possession! At this moment current post is a temporary, but it could become a permanent page and also we will publish this Leak in Huge and famous journals and blogs, also we will notify all your clients, partners and competitors. So it’s depend on you make it confidential or public!" the hacker group announced via an update posted on its website.
The hacker group had also demanded EDP to pay 1580 bitcoins (£11,717,326) in ransom if it wanted to recover up to 10TB worth of stolen data through a custom decrypter.
In a letter addressed to customers last week, Miguel Angel Prado, the CEO of EDP Renewables North America, said that the energy giant had indeed suffered a ransomware attack that resulted in hackers gaining unauthorised access to data stored in its information systems.
He, however, stressed that there is no evidence that hackers accessed the personal information of EDP's customers. He said that the data security incident notification was made out of an abundance of caution as the company stored limited customer data such as names and social security numbers. Any other personal information or payment card details of customers were not stored in the company's systems and hence, were not accessed by hackers.
"EDPR NA takes seriously both the security of your personal information and this incident. In response to this incident, we have taken steps to enhance the security for your personal information, such as implementing new IT processes and login requirements, including multifactor verification, to limit the likelihood of a recurrence.
"As a proactive measure, EDPR NA is offering you one year of identity protection services at no cost to you through Experian, one of the three nationwide credit bureaus. Your one-year membership in Experian’s IdentityWorksSM product provides identity restoration services, fraud detection tools, and other benefits, which include monitoring your credit file at Experian," Prado added.
Commenting on EDP's announcement, Kristen Poulos, VP & general manager of industrial cybersecurity at Tripwire, said that ransomware attacks are particularly concerning for companies with both heavy IT and OT footprints. In the case of EDP Renewables, it appears the attack was contained to their Enterprise systems, and mainly confidential information regarding things like billing and contracts was targeted.
"Though that's a significant challenge in and of itself, if such attacks were to permeate into the OT space (due to improper segmentation between IT and OT), they could infect systems critical to energy output, like HMIs and engineering workstations. Luckily, this did not appear to be the case this time," Poulos added.