Recently, there’s been three major UK ransomware and/or extortion incidents at three big UK companies — Co-op Group, Marks and Spencer and Jaguar Land Rover. One thing connects them all: in the past 5 years, they all outsourced key IT and cybersecurity services to TCS, aka Tata Consultancy Services. I’m not saying TCS are bad, or totally at fault. But I want to unpack what is happening here, as the wider context is important.
Estimates vary as to the cost of these incidents but the Cyber Monitoring Centre pegs the cost at Co-op and M&S at around half a billion pounds — and retail industry groups also land around that figure.
Marks and Spencer are still recovering systems several months later, and Co-op Group spent over a month without key IT systems.
With Marks and Spencer, their insurance provider suffered a “full tower loss”, which equates the cost going over M&S £100m cover. M&S expect the cyber insurance policy to cover around half the total cost. Co-op Group had no cyber insurance cover and so refused to pay the ransom, hence why they attracted the most escalation from the teenage hackers involved in the media.
Jaguar Land Rover are currently 15 days into a total car manufacturing shutdown. As I write this, over two weeks in, staff still have no idea when IT systems will be restored, so car manufacturing can restart.
Costs so far to Jaguar Land Rover are currently unknown — BBC report estimates of around £10m a day, so somewhere in the region of £150m so far. However, this is ‘just’ profit losses — when you factor in cyber incident response, legal fees and everything else — plus the fact the incident is still not resolved and services not recovered — it’s very possible this will significantly rise.
The Telegraph claim JLR are losing £72m a day, which would bring the current total to just over a billion pounds if accurate.
The result? These three incidents alone likely cost the orgs involved, all told, around a billion UK pounds. The only suspects arrested have been released on bail and haven’t been charged months later, and are mostly teenagers. Some of the suspects have had prior convictions in the UK for similar incidents… but simply kept keeping on keeping on.
Press enter or click to view image in full size
But here’s the thing. A billion quid. Sounds bad… but they’re private companies, so who cares?
The BBC reports Jaguar Land Rover made just over £2 billion in profit in the past year. They can afford to take a hit too. They’ve saved a lot of money by outsourcing to TCS, after all.
This following might make you care.
The BBC also reports that the downstream impact on Jaguar Land Rover’s suppliers — many small to medium sized businesses — is leading to staff being laid off. There are now growing calls for the UK government to set up a furlough scheme, at the taxpayer expense, to pay the suppliers to keep staff on, while Jaguar Land Rover try to recover their largely outsourced IT systems.
Essentially, we’ve ended up in a situation where to deliver shareholder value, large organisations are incentivised to outsource core IT and cybersecurity functions to a low cost managed service providers abroad — and then when hit with ransomware, the insurance will cover paying the ransom (some insurers will actually push for payment to criminal groups, to cover their potential losses).
This cycle plays into the ransomware economy, where the same criminal groups can then reinvest the money into purchasing exploits and gaining initial access to other organisations. Because ransomware is such big business, many of the groups have far bigger research and development funds than the organisations they’re attacking. Especially when the organisations they’re attacking have outsourced key areas to low cost providers.
The net effect is ransomware and extortion groups continue to gain access to more organisations, and risk UK economic security. It is only a matter of time before they hit some kind of essential UK service that directly impacts millions of people — by which point millions of people will be asking what is being done about the problem. And the answer is: not enough. When we’re at the stage of having to look at urgent furlough schemes for JLR’s suppliers to rightly save jobs, it isn’t so much a sign as the canary in the coalmine has died, but that the coalmine is also about to collapse on people.
How we got here
Co-op Group began it’s relationship with TCS over a decade ago, but really started to outsource key IT services to TCS around 2017. At the time I managed their Security Operations Centre. They outsourced their IT helpdesk — thought to be the intrusion point for the incident — to TCS, transferring staff to TCS and ultimately making roles redundant.
At the time, I took this photo in the public lobby of 1 Angel Square, where a colleague member had written they were working on selling the company to Tata (TCS) as part of “Fuel for Growth”:
After I left the organisation in late 2019, they later fully outsourced my team, the Cyber Security Operations Centre, to TCS, along with various other key cybersecurity services. That team is tasked with detecting unauthorised access. They also centralised more IT teams, and then transferred those services to TCS too around 2020, making colleagues redundant in the process:
Co-op Group recorded £161m in pre-tax profits in the past financial year.
Marks and Spencer started their relationship with TCS around a similar time, also outsourcing key IT services and making staff redundant:
This resulted in redundancies. This included their IT helpdesk — also the point of entry for the incident. My understanding is, as this relationship progressed, they also started outsourcing elements of their cybersecurity function to TCS — including the team tasked for detecting unauthorised activity.
M&S recorded pretax profits of £876m in the past financial year.
Jaguar Land Rover follows a similar pattern. They outsourced key areas of IT to TCS. Then went on to outsource bits of cyber, including Security Operations, Governance Risk and Compliance, and Identity and Access Management to TCS. Although staff were transferred using TUPE, many were later made redundant. That TUPE pattern is repeated across the orgs.
JLR recorded pre-tax profits of £2.5 billion in the past financial year, their best performance in a decade.
TCS deny everything
They don’t. TCS deny any of their systems were breached. Their statements on the matter should be parsed carefully to see exactly what statement they are making or answering.
It is well known in the cyber industry that the LAPSUS$ kids were phoning helpdesks and asking for access, and getting it with ease. TCS provided this helpdesk service, shared across customers. When TCS have domain admin into environments and manage IT services, the question isn’t ‘were TCS breached?’. It’s ‘how were TCS’ customers breached and did you provide those services?’
It’s not a secret in the cyber industry that there’s a lot of stories about TCS — I’ve heard names like Terrible Cyber Service in the trenches. And the memes have been around for a while.
Press enter or click to view image in full size
Press enter or click to view image in full size
There’s also, you know, all the Reddit threads over the years, e.g.:
Get Kevin Beaumont’s stories in your inbox
Join Medium for free to get updates from this writer.
https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/
Are MSPs bad?
No. Managed Service Providers aren’t bad. For small businesses in particular, a great MSP can elevate an organisation to give it technology it wouldn’t be able to deploy and manage properly due to their scale.
However — when you’re talking about organisations with tens of thousands of employees, when they outsource areas like cyber risk and compliance, cyber security operation, password reset helpdesks etc — they take on a level of risk which, I think, becomes highly questionable. It’s not just risk — it’s risks that can and do materialise. That 10% budget saving doesn’t look so hot when the whole company has a heart attack.
MSPs rely on commonality to scale. They use, for example, teams of people who cover vast numbers of customers. They run IT helpdesks where, based on the phone number you call, you get a customised one in that companies name — e.g. TCS run a Microsoft frontline employee IT service desk. But that person answering the phone is spinning many plates and just sees the number you called, pulls up that company process, and runs through a script with you. It’s easy to abuse, and easy for the operator to make a human error.
MSPs use Standard Operating Procedures. They’ll be managing Active Directory, storage arrays, VMware clusters etc across thousands of other orgs. They write everything down. Everything is documented. If you’re an attacker, it’s easy to abuse. These things are the beating heart of a company.
It’s also the case that many MSPs pay incredibly poorly, and there are examples of staff at MSPs accepting bribes. Given the level of access they have — for example being able to reset MFA tokens for administrative users — paying incredibly low wages is not only risky, it’s really dumb.
Incentives are broken
Capitalism encourages cost reduction. CIOs want to, or in some cases have to, cut 10% off their budget each year. But when you get to the point where the UK government may have to use taxpayer money to pay JLR’s suppliers to not work, while JLR book record profits, we ought to ask ourselves — do the incentives here create economic risk to the UK?
With approaching a billion quid in losses, you’d think insurance providers would be devastated and on high alert. No. Insurance providers are very excited by the incidents, and are currently out in full force profiting from it:
Cyber incident response providers are equally loving it — stick any of these breaches into Google, or ransomware in general, and it is boom times. A large part of the cyber industry bottom line is, sadly, ransomware — which is why there continues to be a lobbying pushback around banning ransom payments.
Who isn’t loving ransomware? The victim orgs, the school children who see their schools close in incidents so regular they don’t make the news, people who can’t use council services for months on end in ransomware incidents which barely make the news… the list is long.
We’ve normalised ransomware.
The list will get longer as ransomware and extortion groups move on to things like airlines, food production, warehousing and other sectors. You might think — Kevin — they already do this. They’ve barely started. They have a target rich environment. There is not a shortage of victims.
Because they know large orgs have outsourced helpdesks to super low cost providers, the threat increases. Because they know orgs have outsourced key IT systems to providers who have 3940 other customers and they’re managing from flow charts and SOP documents, the risk increases.
Because organisations are busy trying to automate everything and put IT at the heart of everything to reduce cost, the risk and the threat increases.
When you combine cost pressures, capitalism, automation and a digital economy — there’s risks which have developed here. Many orgs are, essentially, in a race to the bottom when it comes to cost. Races to the bottom don’t end well.
Data protection
Ciaran Martin wrote a really good LinkedIn post which got me thinking:
I’ll quote him:
So why are we still banging on about personal data in cases like this as if it’s the primary concern? It’s important. But car manufacturers don’t hold much very interesting data about their customers. The *primary* issue here is the disruption, not data loss.
Part of the problem is that right now we have comprehensive legal obligations to protect data but we don’t have comprehensive legal obligations to protect services. Even with the pending new legislation in the UK, it’s only the critically important companies that will be covered.
My personal view is that we need to take a long hard look at this (im)balance. Both data security and service continuity are important. But they’re quite different — it’s the organisational equivalent of suffering someone sneaking around your house copying your sensitive information, or having someone punch you in the face and break your legs. Both are unpleasant and damaging, but they’re very different experiences with very different impacts.
And yet law and practice tells us to worry about the former more than the latter. Isn’t that a bit weird?
He’s right. I hadn’t thought about it before. For example, the press has barely mentioned the Jaguar Land Rover incident after the first two days — save for when they admitted “some data” may be impacted. That became another news cycle. But… why? The primary impact here is the UK government may have to effective bail out the motor sector. Not that some data may have been taken.
Companies are hyper focused around legalisation — rightly so, and GDPR is proof that legalisation works. However, while the focus on data protection is highly visible at most large organisations, the focus on cyber resilience is — frankly — almost non-existent.
Many organisations think IT disaster recovery plans deal with ransomware. It doesn’t. The first thing ransomware groups do is delete backups and recovery systems, before they disrupt anything else. I’ve talked to business after business after business whose real plan with ransomware is simply: the insurance covers it, we’d pay. Anybody who has been in the trenches of these incidents will tell you that two things happen: your business IT has a heart attack, and paying does not equal restoration. In almost every case, even with payment, restoration takes weeks to months. The real risk — which often materialises — is somebody deliberately tries to set your head office on fire, but via IT. And in almost all cases, when that happens, the organisation doesn’t know what to do — and calls the NCSC and NCA like they’re the fire department. The fire department it is not.
If you look at Marks and Spencer’s website, they have a 3 page list of executives and C-levels who control every important element of the business — but there is nobody listed for cybersecurity. That role exists… but it isn’t even seen as important enough to name on the website. The same with Jaguar Land Rover and Co-op Group.
What I think the UK government should do
There’s a couple of pillars I think the UK can lead on:
- Bring forward the legislation around forcing companies to disclose if they’ve paid a ransom, and banning critical infrastructure from paying ransoms.
- Ask for plans to be prepared to ban payments of all cyber ransoms by or for UK companies. This does not mean it has to be implemented. This means there should be planning in place around how to do it, should we need to pull this lever. It’s also a signal of intent — including to boards that ‘just pay’ is a bad plan.
- There needs to be education for very large organisations around the level of risk they take with third party service providers of absolutely critical services — some of these services should be in house, and properly managed, and ringfenced as cost of doing business.
- There needs to be follow on exploration of legislation on cyber resilience around protecting key services. “BEING SOLD TO TATA”, as seen on the board above, is probably not just being written at the Co-op. It’s just that nobody outside realises it is happening.
- There needs to be a plan to defuse the ransomware economy, even if that means pushing back against the cyber vendor industry. Incentives must be realigned.
I really do believe the UK can lead the way on this whole topic, and civil society would be better for it. I also believe we not only can, we must — the choice is going to be if we react when things have gone very wrong, or start acting now.