Small and midsize companies are fighting a rising tide of cyberattacks largely out of public view, posing an underappreciated risk for the bigger companies and institutions that use their services.
Attacks on high-profile targets like hospitals, retailers and airlines typically make headlines. But analysts documenting the activities of increasingly savvy cybercriminals say they are hitting lesser-known targets harder, especially those closely linked with big, influential companies. That can ricochet across other, unrelated entities, disrupting businesses far removed from the actual hack.
Take Epiq Systems Inc.
Though barely known to the general public, Epiq plays a central role in a range of high-stakes legal matters. Its customers include top law firms, investment banks and industrial conglomerates. Epiq is handling claims in the bankruptcy of home-goods retailer Pier 1 Imports Inc. and administrative services in legal proceedings involving utility giant PG&E Corp. It has more than 70 offices and 5,000 employees.
In the early hours of Saturday, Feb. 29, Epiq Chief Executive David Dobson was asleep at home in Connecticut when his chief information officer called. He had flagged unusual systems activity the night before, and said Epiq had been hit by hackers aiming to encrypt its files and extort the company.
The two decided to take Epiq’s systems offline globally, from New York to Tokyo. They hoped to limit outside access and safeguard client files while restoring data from backups. They didn’t know how long it would take.
Epiq operates in a niche market, managing claims and electronic discovery for trials, legal settlements and regulatory investigations. It helps companies sort digital records for compliance and restructurings. It also helps companies recovering from cyberattacks handle customer notifications.
“Somebody like Epiq gets hit, it matters to everyone,” said Eric Monzo, a Delaware lawyer in bankruptcies and reorganizations.
Companies with scores of demanding clients are prime targets for hackers, especially those deploying ransomware and trying to get paid for unlocking files they have encrypted, said Brett Callow, threat analyst with cybersecurity firm Emsisoft. In such cases, “the victim company is under far more pressure,” he said.
These attacks are more frequent, and as perpetrators have made money with them, they have become more sophisticated, say insurers and security experts. Emsisoft estimates that U.S. ransomware victims collectively paid out more than $1.3 billion to their attackers in 2019. Business downtime lasting days or weeks often costs more than the ransom itself, analysts say.
More than 60% of the ransomware attacks that insurer Beazley PLC documented in 2019 targeted small and medium-size businesses. Some attacks shut down operations for hundreds of the targets’ customers.
Epiq executives in February, like the rest of the world, were transfixed by coronavirus, and they were juggling work-from-home and employee furloughs when hackers hit.
“What’s going on here?” a lawyer representing creditors in a Delaware health-care bankruptcy recalled thinking when he had trouble with an Epiq website that first weekend. That week, Epiq’s systems outage halted the processing of restitution claims related to puncture-prone air bags, according to a federal court filing. Elsewhere, separate court filings show a March 3 trial deadline was missed in litigation between biotechnology companies because Epiq’s outage made discovery documents unavailable.
In New York and Washington, German lender Deutsche Bank AG and outside lawyers warned Congressional investigators of possible delays in producing bank records requested as part of a money-laundering probe, according to people familiar with the matter. Deutsche Bank devised workarounds, and has said it is cooperating with the Congressional probe.
In Pennsylvania, bankruptcy proceedings for the Catholic Diocese of Harrisburg were just getting started, with Epiq on board as claims agent. Lawyers and a trustee swapped notes about the status of records documenting sex-abuse claims and alleged abusers—records meant to stay secret.
“I’ve never had this happen before. In the back of our mind, we were all concerned,” said Matthew Haverstick, an outside lawyer for the diocese. He and a spokeswoman for the diocese said officials know of no documents that were compromised. The diocese spokeswoman said it is committed to supporting survivors of child-clergy abuse while working on a plan to compensate creditors.
Epiq, meanwhile, rushed to restore public-facing websites, set up cloud-based workarounds and send affidavits so clients could get court extensions.
Many courts were slowing down anyway because of coronavirus, but bankruptcies were picking up. Mr. Dobson said segments of the firm accounting for about 80% of the company’s projected $1 billion in annual revenue “were significantly impacted.”
SHARE YOUR THOUGHTS
If you were the victim of a ransomware attack, would you pay to get your files back? Join the conversation below.
One competitor swooped in trying to poach clients. On March 3, Travis Vandell, a managing director of legal-services company Stretto, based in Irvine, Calif., emailed lawyers in a bankruptcy case.
“Gentlemen,” the email read, according to a copy reviewed by The Wall Street Journal. “As you may know, Epiq has experienced an unprecedented ransomware attack leaving your clients’ data vulnerable and all their websites completely inaccessible.” Mr. Vandell warned of “the potential for extensive data breaches” and said Stretto would waive transfer fees for clients to leave Epiq.
Two days later, at a health-care-restructuring conference in Nashville, Tenn., Epiq employees told peers the solicitation was a “low blow,” according to a person who was part of the discussions. Epiq was a sponsor of the one-day conference. One of the presentations: “Cybersecurity Attacks: What Keeps You Up at Night.”
A Stretto spokeswoman said the company wanted to help clients affected by Epiq’s ransomware attack. She declined to say whether Stretto benefited.
Epiq and the cybersecurity consultants it hired have no evidence any client data was lost, stolen or misused, Mr. Dobson said.
On March 9, Moody’s cited the ransomware attack when it warned of a potential ratings downgrade to around $1.3 billion in debt issued by Epiq’s parent, Document Technologies Inc. The downgrade came the following week. Coronavirus was already a problem, said Moody’s analyst Oleg Markin, and “the cyber event wasn’t helpful.”
Later that month, Epiq released a statement saying all of its client-facing systems were back up and running, with added security. Epiq declined to say whether it paid off its attackers, or comment on specific clients. Mr. Dobson said top clients stuck by Epiq, and it is bouncing back from the March revenue decline.
Lawyers who saw the events unfold said disruptions were manageable, but they are going over legal contracts with Epiq and other service providers to gauge liability if client information were to leak in a future cyberattack. Law firms themselves are frequent hacking targets, and several lawyers said they don’t blame Epiq. As one lawyer put it: “It’s like being mad at someone because a meteor hit their home.”
Write to Jenny Strasburg at email@example.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8