In October 2024, foreign hackers conducted a dual attack on Microlise. It’s an attack involving two primary components, where data was stolen and malware introduced to render the company’s servers inoperable. Ransom demands were issued for both parts of the attack: one to prevent the release of stolen data and one to obtain a decryption key to unlock the affected systems.

“From 8pm, [the malware] went into our data centres, but it had been launched earlier at about one o'clock,” CEO Nadeem Raza recalls. “After trying to understand what wasn't working and why it wasn’t working, it became evident that a piece of malware had been released into our systems and the important thing then was to shut down multiple systems and contain it, so it wouldn’t spread across more of our data centres.”

Compromised data and the immediate impact

The attack was contained before any customer details were exfiltrated. This data, located in a separate, heavily encrypted and protected data center, was secured. More than a million corporate files from head office were stolen, primarily the organisation’s own data, not personal customer information.

But Raza, who spoke about his experience on ICAEW podcast Behind the Numbers, says the extensive system disruption and time-consuming recovery process was onerous: “It takes a long time to go through all these things and see what has been compromised – from the perspective of the hackers, they’re not spending time looking at what they’re taking; they’re just trying to take as much as they can before they’re detected.”

While some functions were back online within a few days, it took about three weeks to fully restore everything. As well as undertaking a major recovery and repair effort, Microlise was obliged to inform the relevant authorities within 72 hours, such as the police and the Information Commissioners Office (ICO), as well as bodies outside the UK.

“We are an international business, so there are equivalent bodies to the ICO in Australia, France and India that we had to inform and obviously their requirements are all slightly different to the UK,” says Raza.

Communication with customers was key

While not all Microlise’s customers were affected by the attack, it was important to keep stakeholders informed and reassured, especially in the immediate aftermath when service was disrupted.

Post-hack communication required striking a balance between transparency and security, as Raza explains: “Our customers wanted to know what happened, whether any of their data was taken, when our services would be restored and whether they are at risk themselves, but some of that information can’t be provided through public channels, because the hackers are going to be monitoring these channels and there may be residual malware that could be used for a secondary hack.”

Public channels, such as the company website, mass emails and the media, had to be carefully managed during this time. 

“Obviously, we had media people asking us questions where we were only able to provide certain elements of information,” says Raza.

But new, secure communication channels were established with select security teams and customers to share important information that Microlise couldn’t share publicly, such as details about the nature of the attack and the status of the restoration process.

Learning lessons from a crisis

Raza says two effects of the hack proved to be catalysts for change in the organisation. Firstly, the attack taught the team that seemingly non-critical infrastructure, such as a six-year-old label printer that had never broken down, could become a point of failure and severely affect business operations. The printer, connected to a hacked server, created specially formatted labels, enabling Microlise’s carriers to deliver goods efficiently.

“Because the printer had sat there working without any problems for six years, nobody had touched it, so after the attack, everyone was scratching their heads and wondering where the software was, where was the back-up, and who we’d have to call to get this sorted out,” says Raza. 

The second major lesson was about the importance of being aware of not just your own, but your customers’ security protocols. Once Microlise started communicating information, Raza said they discovered that some customers had their own mandatory security protocols in place, such as full password and certificate resets in the event of a breach. Managing these processes with multiple customers added significant time and work to the restoration process. 

For future mitigation, Microlise accelerated its security roadmap and focused heavily on staff training, recognising that 80% of malware incidents typically originate from human error, such as opening a malicious attachment on a phishing email.

“There are so many potential vulnerabilities, so we’ve done a lot more training with staff to protect themselves as well as the company,” says Raza. “When we educate people in cyber security, it is useful in their personal lives as well as at work.”

Raza advises all organisations to have an insurance policy that includes cyber attack protection and expert support from insurers, as well as coverage for financial loss.

“Insurance companies deal with these incidents every day,” says Raza. “Hopefully, it’s a rare event, but in that scenario, time is of the essence and you really need to have the right experts with the right skills. 

“Our insurance broker has a great team. Within the first couple of hours, they knew who to bring on board, and I don’t think we could have come back within the time period we did without their help.”

He has shared this advice with many Microlise customers who admitted that if they experienced a similar attack, they wouldn’t be sure who to call.

Finally, Raza advocates for a change in the law to make all ransom payments illegal, as a disincentive for criminal groups. As the law stands, it is only illegal to pay ransoms to sanctioned actors – the government is currently consulting on changes to rules around ransomware payments. Although an organisation claimed responsibility for the Microlise cyber attack, nobody has been brought to justice. With many of these groups changing their names after attacks and operating across borders, detection and enforcement is challenging.

Raza explains his stance: “Less than 50% of ransoms are paid – and we didn’t pay any ransoms – but if ransom payment was illegal in all cases, it would make it harder for these criminals to operate, their work would dry up and they’d have to go off and do something else.”