24 hours inside a cyber attack with an incident response team

Story synopsis:

• Our cyber security team took an emergency call: a popular website had been hacked.
• Experts were on the scene in under two hours, and quickly identified and fixed the breach.
• The attacker confessed, and was arrested, before any stolen details were used or shared.

Valentine’s Day. Deloitte cyber security specialists take an emergency call – a popular website had been hacked. Can they fix the breach, protect customer data and ID the attacker?

24 hours inside a cyber attack with an incident response team

Day one: A race against time

Travelling from opposite ends of the country, the team was on the scene just two hours after the call came in.

A bug had been detected by the client’s system administrators and the hacker was searching customer details. When our experts arrived, the company was about to alert 100,000 site users, a move that would have attracted the media’s attention. Under the EU's new GDPR rules, the client also had to report details of the breach to relevant authorities within 72 hours.

The clock was ticking. They had to move fast to contain the threat.

“We quickly established a rapport with the client so they knew we had the situation under control and would trust us,” the team explained.

Tracking the hack

The team identified the attack vector – the technique the hacker was using to access the site – in under an hour. They also discovered how the server was being hit, what data the perpetrator was trying to steal and from where they were doing it. Working with a programmer from the client company, they found and fixed the bug.

The team continued, “We were tracking the person at the other end, working out who they were and what they wanted, trying to solve the puzzle. We could see they were searching pages but, to isolate the attacker, we had to separate their malicious searches from normal user activity.” Even after we fixed the bug, we could see they were still trying to get access to the site. Our experts were now one step ahead of the hacker, but they had to work out what information had been stolen. This meant meticulously analysing 100 GB of data – millions of site requests – to identify every possible victim.

Day two: Caught in the act

The team’s speed and precision paid off. They had gathered enough evidence for the police to get a search warrant and the attacker, still trying to hack the site, confessed and was arrested before any stolen details were used or shared.

The stakes had been high as the potential implications of a successful hack were enormous, but 24 hours later, the crisis was over.

The team commented, “It was a high-stress situation, but we’ve done this before so were able to stay calm. We were delighted to catch this person and contain what could have been a nationwide news story. It had a big impact on the client and their reputation.”

It was also one Valentine’s Day they won’t forget in a hurry…