The hacker group The Dark Overlord claims to have hacked Gorilla Glue and has stolen, they claim, over 500 GB of intellectual property.
As I have said many times, the theft of intellectual property is a way bigger problem than the theft of credit cards.
If someone steals your credit card, you whine at the bank, they cancel your old one and overnight you a new one. In the worst case, you are out $50 under federal law. Maybe if your bank is cheap, you have to wait a few days for a new card.
If someone steals your intellectual property (IP) there is no putting that genie back in the bottle. Once your product design or salary information or whatever is out, you cannot reel it back in.
In this case, The Dark Overlord claims to have stolen “everything they have ever created“. They say it includes research and development information, IP, product designs, and access to dropbox and personal email accounts. The personal email accounts are typically the place where password reset requests are directed, so that is particularly troublesome. Plus it could include adult pictures, if the celebrity iPhone hacks from a couple of years ago are any indication.
The Dark Overlord sent Motherboard a cache of 200 MB worth of the data that was stolen (out of the 500 gig). The information includes financial spreadsheets, invoices, strategy documents, presentations, contracts with banks and other material. Motherboard says this material does not appear to be available anywhere on the Internet.
Motherboard contacted a number of people at Gorilla Glue and also the FBI, but no one is talking, which is not really a surprise if they are negotiating with the hackers.
Among the data in the small cache is pictures of Gorilla Glue executives’ family members. If that isn’t scary, I am not sure what is. Motherboard was able to find other pictures of some Gorilla Glue exec’s families to validate those pictures are real.
So what we have here is a family owned company that was apparently totally hacked. All of their IP, financial info, R&D and likely customer information was all stolen. Pictures of company executives families were also vacuumed up.
And, it appears, the hackers are negotiating a price to not release this information. The hackers said that they have offered Gorilla Glue “a handsome business proposition”.
How many zeros are in that invoice are not clear, but I am sure this is not a $500 ransomware invoice.
This is the second item this week where hackers stole information and are now trying to extort the business in exchange for not releasing the information.
Of course, you have to trust the extortionists, so even if you do pay, what confidence do you have that they won’t release the information, use it themselves for nefarious purposes or sell it quietly to other hackers? The answer is ZERO!
Do you have a plan of action if hackers stole every bit of digital information your company has? I didn’t think so. It is a worst case scenario for most companies.
That doesn’t mean that you should not have a plan. In fact, you should. This should be a scenario that you test in your incident response annual exercise.
Information for this post came from Motherboard.