Towards the end of last year, Fortune-500 company R.R. Donnelley, one of the world’s largest commercial printers, announced that it suffered a network intrusion following a ransomware attack. Details about the data breach are still sparse; however, the attorneys at Console & Associates, P.C. are actively investigating the breach to determine if the company bore any responsibility. If it turns out that R.R. Donnelley failed to implement an adequate data security system, or the breach was otherwise linked to the negligence of the company, it may be liable through a data breach class action lawsuit.
The R.R. Donnelly data breach is relatively recent, so there is not a lot of publicly available information regarding its causes or the extent of the consumer information compromised as a result of the breach. What is known about the breach is that it occurred on December 27, 2021. In response, R.R. Donnelly shut down company servers to identify the scope of the problem.
In what may be an interesting related story, the major brokerage houses, Fidelity and Vanguard, both experienced six-day service outages on the companies’ websites around the same time as the R.R. Donnelly breach. In a statement to the press, Vanguard explained that the website issues involved a “third-party mailing-and-check processing vendor.” However, the Vanguard representative would not confirm the name of the third-party vendor.
What Is Ransomware?
Ransomware is a type of malware that typically blocks access to a person’s device unless they pay a ransom to the party controlling the program. Often, ransomware is delivered through the use of a “trojan,” which is a seemingly harmless file that installs the software when the user opens the program.
Are Cybercriminals Targeting Their Ransomware Attacks on Certain Businesses?
According to a recent news report, it appears that R.R. Donnelley might have been targeted due to the fact that the company is in the process of soliciting bids for a merger or acquisition. In fact, according to an FBI news release from November 2021,
“The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”
The idea is that cybercriminals identify companies that are at a critical juncture and exploit the fact that the company will want to avoid blowing up the deal based on bad PR from a data breach. Thus, in the cybercriminals’’ minds, the company is much more likely to pay the ransom. However, the FBI explains that it “does not encourage paying a ransom to criminal actors” because doing so “emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Additionally, the FBI encourages companies that are going through a critical event such as a merger or acquisition to take the following steps to ensure the safety of their networks and the consumer data these networks hold:
- Back up all critical data;
- Ensure copies of critical data are uploaded to the cloud or downloaded to an external hard drive;
- Secure back-ups to ensure data is not accessible from the system where the original data resides;
- Install and regularly update anti-virus or anti-malware software on all hosts;
- Only use secure networks and avoid using public Wi-Fi networks;
- Use two-factor authentication for user login credentials;
- Use authenticator apps rather than email because cybercriminals may be in control of employee email accounts;
- Do not click on unsolicited attachments or links in emails; and
- Implement least privilege for file, directory, and network share permissions.
All businesses in possession of consumer data have an ethical and legal obligation to ensure it remains private. While maintaining an adequate data-security system poses a significant burden on corporations, it is a necessary cost of doing business in an environment where hacking and cyberattacks are common. If a company does not take its consumer privacy duties seriously, it may be liable through a data breach class action lawsuit. While it is too early to tell if R.R. Donnelly took the necessary precautions to protect consumer data from this type of attack, the breach raises serious concerns about the company’s data security measures in place leading up to the breach.
If you believe that you were affected by the R.R. Donnelly data breach, it is important you not only protect yourself from possible fraud but also that you understand your rights.