Ride the Lightning

DLA Piper Battling Insurance Company Over Losses From NotPetya Attack

March 27, 2019

Edited: 4/4/19 Any number of media sources got this story wrong. An "act of war" exclusion was not invoked by Hiscox. In fact, DLA Piper did not have a specific cyber liability policy. An updated story has been posted here.

A recent post from Graham Cluley discussed the June 2017 NotPetya ransomware attack. It initially spread via a malicious automatic update to a popular Ukrainian accounting software tool, hit companies around the world including advertising giant WPP, household goods manufacturer Reckitt Benckiser, FedEx subsidiary TNT Express, and international shipping logistics company Maersk.

Shipping conglomerate Maersk later estimated that the NotPetya ransomware cost them as much as $300 million in lost revenue. Reckitt Benckiser, the firm behind such brands as Nurofen and Durex, blamed the malware attack for a $100 million loss in revenue.

Multinational law firm DLA Piper was also hit. The firm, with a presence in over 40 countries, reportedly had a “flat network structure globally,” allowing every data center and Windows-based server on its network to be impacted by NotPetya.

Wiping its systems and starting again was surely costly, and included 15,000 hours of extra overtime it reportedly paid its IT staff.

ITNews reported on how the successful attack happened:

“We were hit through a supplier of ours,” DLA Piper’s Melbourne-based regional IT manager Dylan James said. “The impact of it was very widespread and the recovery from there became quite complex for us and very, very time consuming. The first 48 hours were definitely the hardest. Because it was a global attack, every data centre and Windows-based server that we had was impacted. It took us literally 48 hours to find a working copy of a domain controller that we could even use to start the recovery.”

James said that IT in the United Kingdom had identified the attack within about 20 minutes of it starting. However, he said the company’s “flat network structure globally” allowed the malware to easily spread. “One of the things we’re in the process of doing right now is segmenting our network, separating off our offices and isolating them so that should we get hit again in the future we’ve got a greater chance of containing the spread of the attack rather than being as open as we were on this occasion."

As Graham Cluley says, it’s no surprise to hear that DLA Piper is interested in recovering some of that expense from its insurer, Hiscox.

As The Times reported (sub.req.), DLA Piper started proceedings against Hiscox, saying that the insurance firm has failed to pay out for the damages and costs associated with the NotPetya attack – a claim which may amount to several million pounds.

From the sound of things, according to Cluley, Hiscox is refusing to pay up because of the “act of war” exclusion clause commonly found in insurance policies. The UK government has officially stated that the Russian military was “almost certainly” behind the NotPetya attack.

Our friend Judy Selby wrote us that Maersk and Merck are property policies. She said it's probably the same for DLA, although there’s some speculation that it’s a kidnap, and ransom policy. We will undoubtedly learn more as the lawsuit proceeds.

Hat tip to Dave Ries and Judy Selby.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson