Recently, a special trial took place in Haugaland and Sunnhordland District Court. On 21 April 2021, Nordlo was exposed to a cyber attack. Hackers from Austria and Taiwan logged in with the user account of one of Nordlo’s customers, which led to one of the company’s terminal servers. It is not known how the threat actors obtained this customer’s login details, but probably via a so-called phishing e-mail. A typical phishing attempt might look like this. Photo: Screenshot / Privat Demanded NOK 60 million It was not just a single virus that was installed in the systems, but a group of hackers who gained access to this customer’s user details. The hackers have worked actively to launch several extensive attacks against Nordlo’s systems, according to the court. The incident was discovered shortly after the attack was launched. Nordlo then contacted the threat actors in the form of providing an e-mail address in a link. They then received a claim for 116 bitcoins, which amounts to NOK 50-60 million. The claim was not paid. – Make good demands on suppliers According to the National Security Authority (NSM), they are not aware of similar cases that have been in the judicial system. Nor do they have an overview of how many such type of attacks there have been against Norwegian companies. Deputy head of the National Cyber Security Center (NCSC) in NSM, Gullik Gundersen, tells news that it is becoming increasingly common for Norwegian companies to use suppliers for IT security. Deputy head of the National Cyber Security Centre, Gullik Gundersen. Photo: Datatilsynet The problem with many companies is that they are not smart enough to make demands on these subcontractors. – It is very important for these companies to know what values they have in order to be able to protect them. You can never be completely sure that you will not be exposed to computer attacks, but you can do a lot to be more secure. It is, among other things, about making good demands on suppliers, he says. Gundersen says that they currently see a high level of activity by hackers. A national report will be published in mid-October, showing trends, development and figures. – There is a rather sharp risk picture for Norwegian companies now, he says. Gundersen is not aware of the aforementioned case, but speaks on a general basis. They believe they lost NOK 4.5 million As a result of the cyber attack, three of Nordlo’s customers lost access to their systems for an extended period of time. This meant that, according to their own calculations, they lost around NOK 4.5 million. The companies therefore demanded compensation from the IT company they used after the IT company itself fell victim to cyber attacks. These are the companies Selskapene Malermester Emberland AS, A. Utvik AS and Norsk Medikal AS have all had the company Nordlo Haugesund as their IT supplier. Emberland is one of the country’s oldest painting companies and had a turnover of NOK 32 million in 2022, while A. Utvik is a major real estate player in South-West Norway. They had a turnover of NOK 112 million in 2022. Norsk Medikal is a company that imports and sells medical equipment and consumables. They had a turnover of NOK 11.5 million in 2022. The companies believe that Nordlo has shown gross negligence by breaking the agreement. They believe that Nordlo should have been aware that a cyber attack was a risk, or should have given clear notice that the company did not offer security around a cyber attack. There are few figures that can confirm the number of cyber attacks against Norwegian companies in recent years, but there is no doubt that they have increased. Photo: news Nordlo explains that when the alarms went off, the data center was shut down shortly afterwards. Via its insurance, the IT company Atea came in to assist, and only 4 out of 250 customers lost their data. They also point out that the attack was beyond their control. At the same time, the company believes that the loss to customers is undocumented. The court agrees with Nordlo. They have not acted grossly negligently. – As the court has noted previously, it is the court’s opinion that Nordlo had sufficient and good security, and that it must be taken into account that the default is a consequence of a targeted hacker attack by foreign professional actors, writes the district court in its judgment. Must pay court costs The court therefore believes that the security company acted correctly and has won the case. But not fully. The three companies have therefore been ordered to pay Nordlo’s legal costs of just under NOK 800,000. – We are satisfied with the outcome. The verdict is also as we expected. We see this as having been fully upheld, says Nordlo’s lawyer, Tage Brigt Skoghøy at DLA Piper to news. The security company is sentenced to pay compensation for three months’ rent, which is in accordance with the agreement entered into with the three companies. – We haven’t been able to sit down and consider the verdict thoroughly yet. The court has agreed with us that Nordlo has breached its obligations towards these three customers. Now we are going to spend some time assessing the judgment and deciding whether to appeal or not, says the three companies’ lawyer, Toralf Haver to news.
ttn-69