Confusion reigned among the customers of French carrier CMA CGM, as hackers wrote to media organisations claiming to have accessed customer data – but many of the line’s customers had not heard of the attack.
Moreover, the carrier has told some customers there has been no cyberattack and that no customer information had been stolen.
The hackers claimed to have stolen the data for up to half a million of the carrier’s customers, with the online attackers threatening to release the entire database within a week.
In what would be a second attack on the carrier within a year, CMA CGM acknowledged that hackers had managed to access its database, but said it believes that it has ‘patched’ the problem.
A CMA CGM Group statement said: “A leak of data on limited customer information (first and last names, employer, position, Email address and phone number) has been detected during surveillance operations on the Group’s APIs. The IT teams have immediately developed and installed security patches, and surveillance of all our APIs has been strengthened. Our customers have been informed and they have been invited to strengthen the level of security to access their accounts while remaining vigilant to any suspicious activity.”
However, one major customer of the shipping line said: “I’ve been chasing our procurement team as no communications have been sent out. We’re waiting an update from CMA [CGM] as they are saying it’s not a cyber-attack, and no customer information has been accessed.”
The forwarder later updated the note saying: “Apparently a formal announcement to customers will be sent tonight,” but the French operator had said that “no sensitive or confidential customer information had been accessed”.
This seems to contradict the carrier’s official press statement seen above.
Other customers have confirmed that they had had no communications from the carrier about an attack, and indeed, there is no prominent posting on the carrier’s websites and no social media platforms.
In fact, it has emerged, from CMA CGM’s media office, that a warning was posted to the company website. In order to find it you need to go to the carrier’s website, click on news and scroll down to the eBusiness button, the item was second on the list at the time of writing.
Meanwhile, Global Shippers’ Forum director James Hookham pointed out that if there has been a second attack on CMA CGM, following last year’s event, and it involves personally identifiable data, it will be covered by EU General Data Protection Regulation (GDPR) rules, and thus “needs to be reported to the French data protection authority”.
Moreover, this attack would be “the second time in 12 months” that such a breach had occurred, “so French data protection authorities will have some tough questions – and are answerable themselves as to the adequacy of their oversight”.
Mr Hookham was also concerned that if the entire database is posted onto the web, what else might be revealed about each customer including their booked volumes, contract rates, booking schedules, payment terms and bank accounts, all commercially sensitive information.
“This could get very serious and potentially actionable. Customers need more information about which users are affected, what is being done to retrieve the data, and reassurances about consequential losses incurred,” said Mr Hookham.
He added: “If the shipping industry is serious about its digital future it needs to first get serious about protecting its customers’ data!”
Mr Hookham believed that, given the carrier has claimed its systems were “patched up instantly”, that it does not seem to be a particularly sophisticated attack. Which in itself “raises more questions about adequacy of data protection standards”.
That theme was taken up by Gideon Lenkey a cyber-security specialist from EPSCO-Ra Security Systems, who said that CMA CGM had sent some advisories to customers warning them not to respond to phishing emails.
According to Mr Lenkey, almost all of the major attacks on industry systems over the last year had something in common: that the hacked company “did not have multifactored defences all the way through their systems”.
Multifactored defences require users to submit a password and usually another one or two keys before they can access systems, such as banks sending a code to a mobile phone before allowing access to online accounts.
“Our internet responses [to requests for help after hacks] have doubled over the last 18 months and all but one of these has been about compromised accreditation,” said Mr Lenkey, who said that when the carrier analyses the leak, if it took place, this is probably what they will find.
In the email sent to media organisations, the hackers wrote: “Unfortunately CMA didn’t wish to cooperate and pay a symbolical (sic) redemption for our help of locating the security gap.”
The hackers said they wanted to make the world aware of how large companies do not care about personal data.
The hackers concluded: “In a week we will lay out the entire database.”