Amedia AS Cyber Hack Case Study: A review of their crisis communications from 28th December 2021 - 7th January 2022
A deep dive into the Amedia AS cyber hack which occurred over the holiday period. Charlie discusses in-depth all the important lessons to take away from how Amedia AS dealt with the hack.
For the beginning of the year, I thought I may start off with a fluffy article about what your business continuity New Year’s resolutions should be, however I might do this next week! Today I’m going heavy-duty and writing the bulletin about the media response of Amedia AS, a Norwegian print and internet news organisation. Getting information on cyber incidents is hard to come by, as organisations don’t like to put in-depth information on their website because it may help the next cyber hackers. But, I think that more often they want to move on from the incident as soon as possible, and not remind their customers or potential customers about the hack. The information given to customers often gets taken down and removed very quickly from the website. Reviews such as these have to be carried out close to the incident when the information is still available. Although, you have to wait for a year or so for organisations, such as SEPA and the Irish Healthcare Executive have recently done, to publish public information on what happened and their learning points.
Who are Amedia AS?
Amedia AS are the largest publisher of local media in Norway. They have over a thousand editorial staff across the country contributing to ongoing news coverage in 84 local newspapers, ten local websites and three professional magazines. They also own printing presses and run their own news agency, Avisenes Nyhetsbyrå. Subscription to access their newspapers is a key part of their business model.
The timeline is taken from Amedia’s website.
Tue, 28th December 2021
- The hack took place on Tuesday evening.
- “The production of online newspapers is going as normal, but no paper newspapers will be published on Wednesday.”
- They admit that the situation is unclear and they don’t know the full extent of the damage.
- They said that “the problems are limited to the systems managed by Amedia's central IT company, Amedia Teknologi. Amedia's other systems work as normal”.
Wed, 29th December 2021
- The headline on the update – “The computer attack on Amedia on Tuesday 28 December means that the central information systems are still encrypted and out of order”.
- They start making efforts “to establish alternative solutions for the production of paper newspapers and for access to the information systems".
- The first mention of informing the police and to the Norwegian Data Protection Authority.
- They are upfront about receiving a ransom demand and that they are not going to pay it.
Thu, 30th December 2021
- Concentration seems to be on the production and printing of paper newspapers.
- Last night, Amedia published 13 of their own newspapers and partner newspapers, but weren't able to publish them all as it took longer than expected.
- In parallel they mapped whose personal data is covered by the data attack.
- Admitted systems for publishing paper newspapers, advertisements and subscription management do not work as normal.
Fri, 31st December 2021
- They said that all 70 paper newspapers would be published on this day.
- The banner for this day was a subscriber holding up a copy of the paper, which I thought was a good touch.
Mon, 3rd January 2022
- Started the dialogue about the paywalls for their online subscription services and explained why they were taken down.
- Gave a general update on the incident, what they have done so far and their progress in publishing newspapers.
- The first mention of the National Security Authority.
Tue, 4th January 2022
- Said they are unable to provide further details on the attack due to the ongoing investigations.
- Still working on mapping the data of employees and subscribers who were affected by the cyber incident.
- “Amedia currently has no information that personal data has been published or misused in any way.” They have stated that they have external assistance in place to detect if the hackers posted or tried to exploit the data.
Thu, 6th January 2022
- More and more of the systems are being restored.
- Subscribers will have to log in again to access the content.
- They have developed a trial system for non-subscribers which is a new innovation. I wonder if this is a consequence of their workaround IT configuration or a genuinely new service!
- Talked about the financing of journalism and how important it is.
- The ads purchasing system is back up and running.
All the learning points were taken from reviewing Amedia statements on their website. No further research from other commentators was looked at. Now I have written my own review, there may be a further bulletin on what others have written on the subject.
Good practice learning points:
1. When organisations have a cyber incident, they try and give out as little information about the incident as possible, especially at the beginning when it is first discovered. Amedia AS has been giving regular detailed progress reports.
2. On the banner of their first page of the information pack on the hack, (see Figure 1 below) there was a very prominent picture of Pål Nedregotten, who was Executive Vice President in charge of Product, Editorial and Subscriptions at Amedia. The banner was not some nondescript cyber themed banner or an abstract corporate picture. It seems to me that the message his picture gives is - I am the guy responsible for this, I am in charge and I’m going to lead the company out of this incident. I personally think it’s an excellent idea to incorporate communications in the information pack. Especially when it is a computer or IT story to humanise it and behind every computer system, there is a real person.
Figure 1: Front page of the website on 6th January 2022.
3. I also think by quoting Pål in the initial statement saying, “We have already implemented comprehensive measures to limit the damage and to restore normal operations as quickly as possible”, it again emphasises the human element, making the statement less corporate speak and more that there is a human taking command and dealing with the incident.
4. In a similar way that Dundee and Angus College did in their response to a cyber incident in 2020 (read here), Amedia provided the information which they knew their customers would want to know and was important for them to know. See Figure 2 for the information from the first publication on the 28th of December.
Figure 2: List of impacts from the website on 28th December 2021.
5. Amedia apologised in the first statement and have taken responsibility for the issues. “We apologize for the problems that have arisen and which in various ways affect our customers and employees”. They have also identified the victims of this hack and have then put them at the centre of their response. Often you see others in their initial communications ‘big up’ the criminals behind the hack and say they are ‘highly sophisticated, organised international criminals’, and have tried to play the victim. Here there is very little reference to who did it, as their focus is on their customer and the response, not the perpetrator. For me, this is a more effective line to take.
6. I think it is excellent that immediately they have identified that data has possibly left the company. Data has gone “astray” is not a good word to describe it in English, but I suspect that this is a Norwegian to English Google translation. Figure 3 (below) shows that they have been upfront and are working on the assumption that data has been lost and they have put a list of what that data loss is likely to be. They may have known that there was data loss because in any ransom note they may have been told. I think it is a reasonable assumption if you have a serious ransomware attack that your key data might have been exfiltrated before the encryption of data occurs.
Figure 3: Information about the loss of data
7. Amedia has been very upfront about the hack. There is no doubt that they have had a cyber-attack. There is also a separate tab on the website about the data hack, both of which are good practices.
8. Hacks occur at the most inconvenient times, often during holiday periods (SEPA & Travelex), and I suspect this one follows that pattern. During holiday periods it is more difficult to respond as senior staff may be unreachable, and you might not have your most experienced and senior IT people on standby.
9. Throughout the response, they have tried to give timelines regarding when services may be available and have managed their customer’s expectations. On 29th December they have stated, “Efforts are being made to make the solution available to everyone from Friday”.
10. In their statement, they have talked about employee communication via ‘Workplace’. Keeping employees up to date during a cyber incident is critically important. This can be extremely difficult if the system that is usually used is locked.
11. I believe the point above is a good practical solution that should be added to your plans if it is likely that the computers won’t be working, and access to cloud systems such as Microsoft 365 is only available via mobiles. Amedia also stated on their website how they are helping their staff - “As most people now work via mobile, an agreement has been entered into with Telenor that everyone will have mobile data extended to 100 GB, so that this will not represent a practical problem in the work situation in the future”.
12. “Amedia is prepared for the fact that it will take a long time before the situation returns to normal, and that both paper newspaper production and other functions must take place via alternative solutions during that period.” This is a very important message to manage customer expectations, and inform them that the solution to the issue will take a long time. For example, organisations like SEPA and Hackney Council have taken over a year to restore all their systems.
13. On 30th December, also on the news feed is a general company announcement, “Amedia buys Nordre Aker Budstikke and Sagene Avis” alongside the cyber incident information. I think it’s a good idea to keep putting in business as normal announcements, as this gives the impression that corporate life is going on.
14. I like their honesty and they have given explanations of why they didn’t achieve what they wanted to achieve. “Last night, Amedia published 13 of our own newspapers and partner newspapers. The reason for not being able to do more was that it took longer than expected to get a new platform for the editorial print production. The production became operational from 8pm on Wednesday night, but the process turned out to take longer than expected”. By giving a running commentary of what has been happening, talking about how they have introduced workarounds to provide access to their newspapers, it gives the reader the impression of activity and momentum.
15. Amedia talked about the staff going the ‘extra mile’ to make sure that their papers were printed. Praising staff and showing everyone is working to a common end is very much an echo of the film (available to watch here) made by Norsk Hydro after their cyber hack in December 2019. They were widely praised for their openness and their response. I suspect that this style of response has been picked up by those responding from Amedia.
16. I also like that they thanked Polaris and Schibsted, which I think might be their rivals, but it again shows that they are working with others to deliver to their customers.
Possible areas for improvement
1. I have noticed that as the days have progressed, their statements have begun to repeat themselves, and are providing the same information. Perhaps the updates aren’t written by the same person. If they were being proactively sent out as statements or press releases then this works, but the danger is that they could start to contradict themselves. I think it might be worth having a master page where all the information on the incident can be found and then having one page with the latest updates. This would be more work as the master page would have to be updated each day, but at least that would make sure that statements do not start to contradict themselves or become confusing. SEPA's website had a RAG status report on their services and this is a good practice to implement during a cyber incident.
2. As far as I can see, there are no helpline or contact details of a subscriber or a member of staff in case you wanted to contact the organisation for more information and confirm whether you have been affected. In the initial response, it was mentioned that those affected would be contacted, but good practice guidelines suggest that there should be a means for people to get information straight from the organisation and not have to wait until they are informed.
3. The only two groups mentioned whose data had been lost were subscribers and staff. There could also have been a loss of supplier data, advertisers and other groups whose data they hold too. It is good practice to carry out a data risk assessment prior to an event that categorises what data is held within an organisation. This needs to go beyond the data collected by GDPR reviews.
4. There is no mention of what staff and others should do to protect themselves if their data has been lost. Sometimes credit monitoring services have been given. Those losing data may not be aware of credential stuffing (read more here) and so they may have scams or frauds conducted on their other online accounts. If they regularly reuse passwords, then they need to be informed to change them.
When you provide B2C services and have a large public customer base, you cannot hide a cyber incident. I believe that Amedia has done an excellent job at providing information to their customers and staff. They have been open about the incident and its impact, provided regular updates on the status of services and when they are likely to be back. They have acknowledged that it will take considerable time to get back to normal, but have demonstrated that their managers are leading the responses and all staff members are working hard to resolve the situation. Some of their response, their willingness to be open, and the language used echoes the Norsk Hydro cyber incident, which provides good practice guidelines as it is generally acknowledged it was well responded to. There are a number of actions that Amedia could improve upon, but on the whole, I think their response has been fairly good.