The maritime industry, which uses vast quantities of electronically stored and transmitted data, is particularly vulnerable to ransomware threats. Increasingly sophisticated strains, like Conti or REvil, can spread across the entire network of a shipping company, infecting computers globally and encrypting data. Not only are systems encrypted, but the ransom attacker may often exfiltrate data stored in servers. Therefore, the extortion not only relates to decrypting and restoring access to stolen information but also to threatening the public release of the stolen data on the dark web. Even if a company could restore their data from backups and avoid the need to rely on decryption keys from the threat actor, the risk of any data accessed or exfiltrated being disclosed or published remains.
A very recent example of a ransomware attack on a maritime company took place in December 2020 when a Norwegian cruise company, Hurtigruten, was targeted and forced to shut down its website. Although precise details are unknown, its systems may have been compromised, its data encrypted and possibly exfiltrated, and a ransom payment probably demanded. It is reported the incident may have affected passengers’ personal information, such as names, dates of birth, passport details, email and home addresses, phone numbers, and some medical information. It is believed that the company, which operates ferries along the Norwegian coast as well as cruises in the Arctic and Antarctic, responded by disabling affected computer systems, launching an investigation to determine the data and individuals affected, and reporting the incident to law enforcement. There are no figures available on the financial impact that the incident may have caused the company.
Data as an asset
Shipping companies are likely to hold a broad range of sensitive data which could be of interest to malicious actors. Commercially sensitive material of potential interest to cyber hackers, held by shipowners, charterers, or shipping agents, would consist of data regarding contracts of affreightment, charterparties, freight rates, time charter rates, and bills of lading. Other sensitive data would also include information concerning financing facilities and banking details, which financial institutions and clients handle with extreme confidentiality. Insurance arrangements would also be seen as valuable. In some cases that we have seen, the cyber attackers who had access to the files and data in the network became aware of the policy limits in the victim’s cyber insurance policy, which they could then factor in to their ransom demands and negotiations.
As another example, a ship management company managing third-party owned vessels, providing management, technical and personnel services to ship owners could be handling crucial information relating to the safety management systems of all their vessels, maintenance programmes, flag state, class society and port state control and management service fees and budgets. The prospect of any of this confidential data being compromised and later threatened with public release would be of obvious concern to ship managers and their owner clients.
Destruction of data
Hackers do not always threaten public release of stolen data but can instead threaten to destroy it. In September 2020, CMA CGM was hit by the Ragnar Locker data encryption malware, which first appeared in 2019, and was designed to extort ransom money by threatening the destruction of encrypted files. The attack was reported to have hit a few Chinese offices but forced the carrier to shut down its entire network to prevent the spread. The hacker’s message reportedly read: “If you are reading this, it’s mean (sic) your data was encrypted and your sensitive private information was stolen. ... There is ONLY ONE possible way to get back your files – contact us via live chat and pay for the special DECRYPTION KEY!” CMA CGM were given two days to make contact. No details of the ransom amount or negotiations were released, however, an earlier attack by Ragnar Locker forced a Portuguese energy firm to pay a ransom of nearly USD10 million in Bitcoin.
In addition to the operational, financial, and reputational risks that may result from hacked commercial data, a shipping company may also have breached data protection legislation where the personal data records of individuals have been compromised. Personal details can be held for various reasons. Ship management companies, which handle crewing requirements for shipowner clients, hold the valuable personal records of thousands of seafarers and personnel, tracking their employment history, payroll and claims expenses data, medical records, and personal information. Similarly, cruise line and ferry operators process information relating to thousands, sometimes millions of passengers in the case of the larger players. This may include names, addresses, phone numbers, passport details, dates of birth, and occasionally health and personal information, as illustrated by the Hurtigruten cyber hack.
As mentioned, any compromise of personal data could open a shipping company to the risk of violating data protection laws, possibly in various jurisdictions, and expose it to mandatory reporting regimes and potential administrative penalties and fines where the relevant data privacy obligations have not been met. We will briefly look at two such regulations: the EU and the UK GDPR.
On 25 May 2018, the General Data Protection Regulation (GDPR), described as the toughest privacy and security law in the world, entered into force in the EU, including the UK, and was soon after extended to the EEA (which includes the EU, Iceland, Norway and Lichtenstein). The GDPR was enacted into UK law as the Data Protection Act 2018 (DPA). The Regulation is intended to give EEA individuals ownership and control over their personal data. It imposes obligations on organisations located anywhere in the world which process the personal data of EEA citizens/residents, offer them goods or services, or monitor their behaviour, even if the data processing takes place outside the EEA.
Under the GDPR, data processing refers to any act performed on data such as recording, storing, organising, erasing, essentially any data handling. Personal data covers any information relating to an individual who can be directly or indirectly identified. This information includes email addresses, location information, gender, age, cookie identifiers. Pseudonymous data (where an individual’s identity is disguised) is also caught in the definition if the individual can easily be identified.
The key question a shipping business should consider is whether, by virtue of its activities, it is subject to the GDPR as, if this is the case, it will be required to have data protection processes and procedures in place. In some cases, this will be self-evident (e.g. an organisation “established” within the EEA pursuant to Article 3(1) or which meets the “targeting” criteria under Article 3(2)). In other cases, the application of the GDPR may not be so obvious.
The multi-jurisdictional nature of the maritime industry, and the cross border flow of data that accompanies it, sets it apart from some other economic sectors, and it is this international element that should be closely examined to determine whether any aspect of a shipping operation is likely to make it subject to the GDPR. A shipping company located outside the EEA should review any area of interaction with the EEA. Does the company offer goods or services to persons within the EEA, including persons onboard vessels flagged in an EEA member state? Is the personal data of EEA persons held on data bases? Are tracking cookies used to monitor the behaviour patterns of persons within the EEA? Does the organisation have an office or conduct regular operations from within the EEA? Does it use EEA-based servers? Does it have EEA flagged vessels? These are a few of the questions a shipping business should be asking to determine the applicability of the GDPR.
A shipping organisation, cruise line operator, ferry company, ship manager subject to the GDPR, should be mindful of the seven protection and accountability principles at the heart of GDPR Article 5(1). Failure to comply with these principles may expose a shipping company to scrutiny from data protection regulators and may lead to enforcement action or substantial fines.
Articles 33 and 34 of the GDPR set out the data breach notification obligations. The obligation to notify the relevant data protection regulator falls on the controller (i.e. the person who handles personal data and decides why and how to process it). Following a data breach, the controller has 72 hours from becoming aware of the breach to notify the regulator “unless the personal data breach is unlikely to result in a risk to the rights and freedoms” of natural persons. In addition, where a data breach is “likely to result in a high risk to the rights and freedoms” of natural persons, the controller must notify the breach to the data subjects without undue delay.
The financial consequences of a data breach under the GDPR can be severe. Fines can be the higher of 20 million euros or 4% of the annual global turnover, which in the case of a large ship-owning company or cruise line operator could correspond to a substantial amount.
An example of a large penalty was that levied against Marriott International, which was fined over £18.4 million by the UK’s Information Commissioner’s Office (ICO) after the hotel chain’s guest reservation database was compromised following a cyber-attack in 2014. It is understood that 383 million client records were affected - 30 million of which belonged to EU residents - involving one or more of the following: names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers. The cyber attack was only discovered in September 2018 although it originated in 2014. Malware was installed which enabled the attacker to gain access to the system as a privileged user. This incident highlights the potential consequences when a business fails to look after customers’ data. As the ICO made clear in a statement about the fine it issued, “the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect”.
In addition to the potential regulatory penalty, an organisation in breach of the regulation may also be required to compensate financially the victims of the breach who are entitled to seek compensation under Article 82 of the GDPR.
The UK regulatory position is now set out in a version of the EU GDPR as it stood at 11 pm on 31 December 2020 as amended by relevant EU Exit regulations (UK GDPR). While it may be a while before material differences in the application and interpretation of the UK and EU GDPR develop, companies will also need to pay heed to a third piece of legislation referred to as the “Frozen GDPR” under which so-called “legacy data” including EU data acquired before 1 January 2021 is subject to the EU GDPR as it stood at 11 pm on 31 December 2020. There is no doubt that the interplay between these regimes presents challenges to shipowners from a compliance, cost and notification perspective.
Maritime industry organisations need to remain alert to the evolving landscape of cyber-crime and should focus their attention on ensuring their cyber-security programmes can protect their commercially sensitive information and personal data against new forms of insidious and costly malware attacks. In addition, the importance of conducting regular audits to ensure compliance with the relevant data protection laws should not be forgotten. If you would like to discuss in more detail any of the points raised in this update, please feel free to reach out to any of the contacts listed below or to your usual contact at Clyde & Co.
Cyber hackers continue to hone in on the shipping industry, considered a vulnerable and highly lucrative target, as demonstrated by the 400% increase in attempted cyber hacks on maritime companies between February and June 20201. Ransomware attackers are reported to have made at least USD 350 million worth of cryptocurrency in 20202, a steep rise from under USD 50 million in 2018. With these numbers in mind, maritime sector participants, from the smaller shipping outfit to the largest players would be well advised to think about their potential exposure to cyber-risk as well as the steps they should be taking to mitigate the risk of a cyber security incident such as a ransomware attack.
A ransomware attack, a malicious software programme installed remotely to block a user's access to its computer systems or data with the intent of extorting a ransom payment in exchange for access, typically strikes unexpectedly. A shipping business locked out of its IT systems would have difficulty communicating with its clients, suppliers, shipping agents, port authorities, and be unable to retrieve data, shipping documents, contact details. Although malware has been found aboard ship's IT systems, the majority of cyber-attacks have been perpetrated on shore-based systems, business offices and data centres from which ships, clients and personnel are managed and the logistics of transport organised.
A ransomware attack not only encrypts a business’ IT system, crippling it operationally, but it is also often accompanied by a threat to publish sensitive information publicly or to the highest bidder on the dark web. The implications of this “double extortion” could be potentially damaging, even catastrophic. The cruise line sector, which holds large amounts of customer data, is particularly vulnerable. Hurtigruten, a Norwegian cruise line operator recently hit by a ransomware attack would have had to consider this threat and the possibility that the potential release of customer details could also raise serious data protection issues. We will be examining the subject of data protection more closely in our next update.
Financial and Reputational Considerations
The financial impact for a shipping business could be severe. Aside from the losses associated with the disruption of the maritime operations and the prospective ransom payment itself, there are the increasingly expensive costs of responding to the incident and the business interruption resulting from the disruption to the business. Add to this the expense of handling potential complaints from clients/customers, the costs of engaging and responding to regulators or government authorities and any ensuing third party litigation from individuals whose personal information was impacted in the incident, as well as the cost of any possible regulatory fines, and the amount continues to build up considerably. This is before factoring in a potential drop in company share value, investment and funding from a loss of confidence. By way of example, Maersk estimated the cost of the 2017 NotPetya attack to be somewhere between USD 250 million and USD 300 million.3
The reputational damage is also likely to translate in the loss of current and potential business opportunities, and may lead to the long-term loss of customers keen to avoid dealing with a maritime business seen as vulnerable, particularly if the breach was perceived as avoidable.
Following any digital disruption, a maritime company's first instinct will be to try to urgently restore its systems and resume operational control. It will also seek to prevent any threat of external data disclosure. The first thing to consider should be whether, aside from potentially paying the ransom, there are alternative viable options for performing a recovery of the systems/data. If so, these should be explored in parallel with promptly identifying and re-securing the system and associated vulnerabilities to prevent repeated attacks.
Where the threat actor alleges to have obtained data illicitly, it is important for the shipping company to validate this information. Have the hackers genuinely infiltrated the systems and obtained a copy of this data or are they making false assertions and/or relying on information collected externally from open sources?
In the process of engaging in discussions and negotiations with the threat actor, has it been possible to establish an attacker profile? This exercise will be helpful in gauging the perpetrators' intentions and identifying the most appropriate negotiating techniques. Some hackers have developed a reputation for being “reliable” negotiators whilst others may be unpredictable and unreliable.
As matters progress, have steps been taken to test decryption keys designed to unlock the paralysed system? With regard to the threat actor, has information revealing of its identity been gathered? Critical indicators include the email addresses used to communicate, the cryptocurrency address provided, any unique identifiers, and any relevant information cross-checked with recognised sanctions lists.
It is also paramount to ensure that the IT systems that were compromised are contained and secure not only to prevent a spread of the ransomware, where possible, but to prevent a further attack by the threat actor.
Other important points to consider: have the law enforcement authorities been alerted of the criminal event and the ransom demand? Have the various reporting obligations under sanctions, anti-money laundering, terrorism and other legislation been identified and fulfilled? Have the company’s insurers (if available) been notified in accordance with the cyber insurance policy? Has the legality and lawfulness of any prospective ransom payment been established?
Prior to making a ransom payment, to avoid facing fines or any other penalties, a maritime business needs to ensure full compliance with the national and international laws and regulations that a company engaged in international trade may be subject to. To take the national laws of the UK as an example, a shipping company based in the UK would need to consider the question of whether a ransom payment would fall under the Proceeds of Crime Act 2002 (POCA). POCA applies to offences committed by individuals or companies in the UK.4
Section 328 of POCA makes it an offence for a person to enter into an arrangement they know or suspect facilitates the use of criminal property by another person. Consent for the payment may be required from SOCA (the Serious Organised Crime Agency) but this is determined on a case-by-case basis.
Under Section 15(3)(b) of the Terrorism Act 2000, a person commits an offence if they know or have "reasonable cause to suspect that it will or may be used for the purposes of terrorism." A shipowner or charterer is unlikely to know or suspect whether an anonymous perpetrator will use the ransom towards terrorist activities, and it will fall on them to satisfy themselves, through due diligence, that there is no reasonable cause to suspect that the money may be used for these purposes.
Sanctions also need to be considered so that a shipping company does not fall foul of applicable sanctions regimes.
EU sanctions apply to EU nationals and companies, and to all business done in the EU including activities on a vessel under an EU member state's jurisdiction. Under this regime, EU persons and entities are forbidden from making funds available to those listed on the European Sanctions List for Cybercriminals established in May 2019 and includes entities such as WannaCry, NotPetya and Operation Cloud Hopper. Ransom payments following cyber-attacks have been subject to increased EU scrutiny and ship owners, charterers, or agents subject to ransom payments should take care not to expose themselves to civil and criminal liability by making funds available to those featuring on the EU list of sanctioned entities.
The UK sanctions regime replaced the current EU sanctions regime at 11pm on 31 December 2020, when the Sanctions and Anti-Money Laundering Act 2018 entered fully into force. Although similar, the new UK sanctions regime is not identical. It applies to all UK persons anywhere, to persons within the UK and to anyone conducting activities in the UK with regard to those activities. A global ship manager with a presence in the UK and/or a major charterer/trader based in London would fall under this regime.
A shipowner could be committing an offence by making funds available directly or indirectly to a designated person on the Office of Financial Sanctions Implementation (OFSI) list of sanctioned individuals and entities, unless it could show that it did not know or have reasonable cause to suspect that funds would be made available, directly or indirectly, to such a designated person.
Ransom payments are not a criminal offence in the US, though care must be taken not to violate the US sanctions regime. In general, OFAC (Office of Foreign Assets Control) administers and enforces economic trade sanctions for the US government. Such sanctions specifically prohibit US persons from making payments to individuals and entities on the SDN List (Specifically Designated National and Blocked Persons List). This prohibition includes ransom payments, for the release of a ship’s crew or for illicit cyber demands or events. OFAC operates, with some exceptions, a strict liability regime - meaning that, although a party may unknowingly breach sanctions provisions, the risk of sanctions enforcement still applies. However, some mitigating circumstances may be considered.
On 1 October 2020, OFAC published its most recent advisory in response to increased malicious cyber-attacks on US connected systems during the pandemic. The advisory alerts companies of the potential sanctions risks for facilitating ransomware payments to sanctioned entities, and sets out the factors considered when determining an enforcement response to an apparent violation. As ransomware events have been increasing in recent years, this advisory should be considered in tandem with the advisory on ransomware issued on 1 October 2020 by FinCEN (The Financial Crimes Enforcement Network), a US government bureau tasked with tracking financial transactions for the purpose of combating financial crimes.
The FinCEN Advisory provided potential financial red flag indicators of ransomware-related illicit activity. Some of these red flags include: (1) malicious cyber activity evident in system log files, network traffic, or file information, (2) when opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident, (3) a customer’s Convertible Virtual Currency (“CVC”) address appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments or related activity, (4) a transaction occurs between an organization from a high risk sector and digital forensics and incident response (“DFIR”) companies and cyber insurance companies (“CICs”), and (5) a customer initiates multiple rapid trades between multiple CVCs, with no apparent related purpose.
A non-US person may also be exposed to the US sanctions regime through facilitation of a ransom payment or a ransomware payment or event, meaning if a non-US person causes a US person to violate the sanctions regime, for example by involving a US employee with an SDN-related dealing or wire a USD payment (which usually clear through US banks), that non-US person could be liable for a sanctions violation. A shipping business considering a ransom payment should thus review its US connections: does the business use US Dollars? Are US citizens on its management team? Are any offices/branches located in the US?
In addition to the primary sanctions discussed above, secondary sanctions also apply to non-US persons even without a US nexus. These sanctions focus on economic sectors of the sanctioned country - for example, the shipping sector or the oil and gas sector. In June 2020, the US State Department sanctioned the Iranian shipping line IRISL; anyone doing business with IRISL risks sanctions which could include restrictions accessing the US financial system or the US market. A shipowner should closely verify prospective charterers are not sanctioned to avoid the risk of secondary sanctions, in connection with ransom payments or otherwise.
For up to date sanctions developments, please visit our Sanctions Hub.
A shipping company caught in a cyber-attack may find itself in the unenviable position of either facing the consequences of violating the law and/or sanctions regulations should they pay the ransom or suffering the consequences of not complying with the perpetrator's demands. This may result in systems continuing to be inaccessible, their destruction and/or the public dissemination of sensitive information involving clients, employees, commercial partners, with the collateral risk of litigation from the aggrieved parties. The risk is high. More than $50 million worth of cryptocurrency that victims paid out to ransomware addresses in 2020 have been identified as carrying sanctions risk, nearly all of which was composed of payments to two ransomware strains, Doppelpaymer and WastedLocker5.
Nevertheless, shipping companies should be aware of the severe penalties that could ensue from breaching sanctions regulations in order to protect their commercial interests. The fall out could be significant as illustrated by the following examples of enforcement actions taken by the US Department of the Treasury.
On 15 March 2021, OFAC announced a settlement of USD 216,464 with UniControl, Inc.6 for its role in exporting 21 shipments of its goods (boiler controls and other instrumentation) from the United States to two European companies with knowledge or reason to know that the goods were intended specifically for supply, transshipment, or reexportation to Iran. UniControl failed to take appropriate steps in response to multiple warning signs it encountered when engaging in business with its European trade partners.
On 18 February 2021, OFAC entered into settlement with BitPay, Inc7 for the sum of USD 507,375 based upon its alleged processing of USD 129,000 worth of digital payment transactions “on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions”
These examples highlight the importance of conducting robust due diligence to avoid sanctions violations prior to any decision being made regarding ransom payments.
Ransomware is becoming increasingly sophisticated. Attacks are likely to continue rising in the maritime sector aided by greater vulnerability following the move toward remote working triggered by the pandemic. The legal and regulatory landscape will continue to evolve as will the list of international sanctions. However, those engaged in the maritime industry must remain vigilant. We cannot discount the possibility that ransomware attacks could be undertaken in parallel with other malicious activities such as hacks of port logistics systems for the purpose of stealing valuable cargo for transportation to a destination of choice. Hackers could deploy measures in tandem to interfere with a vessel or port equipment leading to physical damage, i.e. remotely shutting off pumps or cooling systems. At the more extreme end of the scale, the development of autonomous vessels opens up the possibility of remote access to a vessel's controls that could see it hijacked, involved in a collision or even used as a weapon. It will be essential for maritime industry players to keep abreast of developments and potential new risks.