Inside a computer attack – Culture

– I think that the summer of 2023 will really go down in the history books for Tomra. That’s what Eva Sagemo, finance director at the Norwegian pawnshop and sorting company, says. With its 82,000 pawn machines globally, Tomra is one of the companies from Norway with the largest footprint in the world. Sunday 16 July is a day Sagemo will never forget. Two days before, Tomra had delivered its quarterly report and the employees took the plunge for a well-deserved summer holiday. Sagemo herself went to Italy, where she was going on a tour with her children. It would turn out to be a very short trip. SPEAKING OUT: Tomra has communicated regularly on its website about what happened during the cyber attack, but this is the first time they have told about what it is like to be exposed to a cyber attack. Photo: Martin Gundersen / news – I landed on Saturday evening and had barely opened my eyes on Sunday morning, when the phone rang. It was the IT department. They had discovered strange activity in Tomra’s computer systems and suspected that the company was exposed to a computer attack. – They said they weren’t quite sure, but I got an immediate feeling that something was very wrong, says Sagemo. The abnormal activity pointed towards Montreal in Canada. The rest of the management was connected and the IT department worked furiously to map out what was going on. The company is now telling for the first time what it was like to be exposed to a data attack. – I have never been exposed to such a crisis before and there are many others in Tomra who have not either, says Sagemo. The computer attack has cost the company NOK 200 million, says Sagemo. That is 80 million higher than the company has previously agreed with. Sagemo hopes others can learn from their story. Tomra Tomra was founded in 1972 as a mortgage company. Today, it is a global company that specializes in sorting systems that can be used for, among other things, food production and the extraction of minerals. The main business of the company today still revolves around mortgage systems. Tomra operates over 82,000 pawn machines in more than 60 countries. In recent years, Tomra has been among the 15 largest companies on the Oslo Stock Exchange. But this autumn the company experienced its worst stock market fall in 20 years. Tomra had sales of NOK 12.2 billion in 2022 The company has more than 5,000 employees globally Source: Tomra / Aksje Norge The big crisis button For Tomra, the data attack was a crisis. – Many people think that a data attack is primarily an IT crisis. But the whole company is under attack, says Sagemo. By Sunday afternoon, they thought they had it under control. Sagemo, who had followed the process digitally from his hotel room in Italy, breathed a sigh of relief. But it wasn’t long before she got a new phone. – It was complete chaos, the activity had exploded. Sagemo, in consultation with the rest of the management, decided to press the big crisis button. – This means that we took down large parts of the operating environment and ran in offline mode, explains Sagemo. Pawn systems are Tomra’s main business. Photo: Martin Gundersen / news The sorting systems Tomra has developed are today also used for things other than mortgages. Among other things, in the extraction of minerals and in food production. Photo: Martin Gundersen / news Tomra supplies and operates deposit systems for over 60 markets. Germany is the company’s largest market, but they are also a supplier of mortgage systems in Asia, the USA and Australia, among others. All the most important infrastructure was disconnected, including data centers and servers. 65 percent of Tomra’s more than 82,000 pawn machines globally also went down. Several employees were sent to home offices. – It was dramatic because we didn’t know what happened in the systems internally when we left it dead. We also didn’t know what would happen when we actually started it up again, says Sagemo. Most of the Tomra pawn machines continued to work, but at some point they would all stop completely. The oldest with the least storage memory would stop first. – We print money every day, every second, globally in our deposit machines. Then we can’t risk something going wrong, says Sagemo. If Tomra’s 82,000 pawn machines were taken out of service, the company would suffer a serious dent in its reputation. – It was a battle against the clock. Interrupted holiday Sagemo had to abruptly interrupt his holiday in Italy and return home to become crisis manager. – It was just a matter of rolling up our sleeves and dealing with the fact that we were in the middle of an extensive data attack, says Sagemo. She went straight from Gardermoen, suitcase in hand and high pulse beating in her chest, to Tomra’s head office in Asker. Here, one wing had already been transformed into a crisis centre. – On the door hung a large sign that simply said “incident” and no one other than us who worked on it was allowed in. THE CRISIS ROOM: This is where top management and the crisis team sat who made the decisions when Tomra was exposed to the computer attack. Photo: Martin Gundersen / news Divided into four meeting rooms, Tomra coordinated the work to gain an overview and control of the data attack. The company brought in Deloitte to help them. At most, over 200 employees and consultants contributed, according to Sagemo. Between the meeting rooms they moved with a brisk walk, high shoulders and stiff smiles. – In the first period, the uncertainty and fear of the unknown was the worst. Getting an overview after a data attack often takes a long time. For Tomra, it took two weeks from when they discovered the suspicious activity until they experienced having an overview of the situation. Economic motive In recent years, criminals have committed spectacular computer attacks against Norwegian companies. In 2019, Hydro was in the same situation and two years ago, hackers published internal company documents from Choice Hotels. The criminals often try to pressure companies for money by shutting down IT systems and threatening to publish sensitive information. – The worst thing that could happen to Tomra is that data was actually taken out of our systems. For example, sensitive data about employees or customers, says Sagemo. – We are lucky to have avoided it. HELP: Bjørn Jonassen led Deloitte’s crisis team that helped Tomra in the attack. Deloitte also helped clean up the attack against Hydro in 2019. Photo: Martin Gundersen / news Bjørn Jonassen heads Deloitte’s cyber security department. He points out that there are usually two different motivations behind computer attacks: Economic and political. In the case of Tomra, the attack was probably financially motivated. – We do not know for sure what was the intention behind the attack, because no ransom was ever demanded. But it has happened in similar situations, says Jonassen. Attack on the stairs Earlier this autumn, Norwegian security authorities (NSM) sounded the alarm about waves of computer attacks. CONCERNED: In general, the security authorities see that the same weaknesses repeat themselves in companies with poor security routines, points out department director Martin Albert-Hoff in NSM. Photo: Sunniva Linjord / news – We are worried, says Martin Albert-Hoff. He is department director for the National Cyber ​​Security Center at NSM. – The development is violent and attention must be raised, he continues. Albert-Hoff believes it is important that companies affected by computer attacks are open about the experience. – We need incidents to be notified, so that it is possible to build a good picture of the situation. We must have a common understanding of the situation in Norway – whether it is peace, crisis or war, he says. Albert-Hoff points out that many companies are good, but that several of the same weaknesses recur. – Weak passwords, unfinished systems and outdated solutions are still the key to the digital machinery, he points out. Jonassen at Deloitte shares Albert-Hoff’s concern. BACKGROUND: Bjørn Jonassen at Deloitte sees that there is a general backlog in the security systems of Norwegian companies. Photo: Martin Gundersen / news – We have a high, unpredictable threat situation and we also see that it is rising. So it is quite clear that attacks like this will happen again, says Jonassen. He believes it is important that more companies obtain a better overview of their own systems. – Without insight, it is difficult to do things correctly going forward. Not shamed When you are first exposed to a data breach, the situation is completely different. Then you have to act quickly. – When an attacker gets into the systems as in this case, there are many doors to close to shut the attacker out, says Jonassen. He believes Tomra was right to shut down the systems to gain control instead of hoping for the best. – If you sit for too long and consider what to do, the clock is ticking, and that can have enormous consequences, says Jonassen. Jonassen believes Tomra’s openness about the attack they were exposed to can help others look at their own businesses in the cards. Sagemo agrees: – This is not something to be ashamed of. It’s something that can happen to anyone, no matter how good you are. So transparency has been important to us, and we’re glad we’ve been that way all along. There is nothing to regret. MAJOR OPERATION: Tomra is still working to clean up the damage after the computer attack. Photo: Martin Gundersen / news For Tomra, security-conscious employees and good routines were the key to detecting the break-in early, and to keeping the company in operation even though many of the IT systems were down. Not over yet In Tomra’s demo center in Asker, older and newer pawn machines stand side by side. Here, Tomra brings customers to show off the mortgage systems of the future. Today, most things work as normal in the company, but Tomra is still cleaning up the damage after the attack. – We are still working towards normal operations, but 17 September was a special day. Two months had passed and it was the first day that we felt we had some sort of operational control. Then we celebrated with cake! The finance director laughs. But the cleanup has been expensive. REASON TO SMILE: Eva Sagemo believes that good employees who gave notice in time are the reason why Tomra has managed to handle the data attack as well as they have. Photo: Martin Gundersen / news – Initially, there has been no consequence for the businesses. We have received orders and we have managed to deliver. But what costs money is doing an investigation as big as the one we did. We estimate that it has cost us around NOK 200 million. – It is much. – There is a lot of money that could be spent on something else.



ttn-69