RR Donnelley Data Breach Alert | Console and Associates, PC
Late last year, Fortune-500 RR Donnelley, one of the world’s largest commercial printers, announced that it had suffered a network intrusion following a ransomware attack. Details about the data breach are still scarce; however, attorneys at Console & Associates, PC are actively investigating the breach to determine if the company was liable. If RR Donnelley is found to have failed to implement an adequate data security system, or if the breach was otherwise related to the negligence of the business, it may be held liable through a data breach class action lawsuit.
The RR Donnelly data breach is relatively recent, so there isn’t much publicly available information regarding its causes or the extent of consumer information compromised as a result of the breach. What is known about the breach is that it happened on December 27, 2021. In response, RR Donnelly shut down the company’s servers to identify the extent of the problem.
In what might be an interesting related story, the major brokerages, Fidelity and Vanguard, both experienced six-day service outages on the companies’ websites around the same time as the RR Donnelly breach. In a press statement, Vanguard explained that the website issues involved a “third-party mail and check processing provider.” However, the Vanguard representative did not confirm the name of the third-party vendor.
What is ransomware?
Ransomware is a type of malware that typically blocks access to a person’s device unless they pay a ransom to the party controlling the program. Often, ransomware is distributed through the use of a “Trojan horse”, which is a seemingly harmless file that installs software when the user opens the program.
Are cybercriminals targeting their ransomware attacks on certain companies?
According to a recent news report, it appears that RR Donnelley may have been targeted due to the fact that the company is in the process of soliciting bids for a merger or acquisition. Indeed, according to an FBI Press release from November 2021,
“The FBI assesses that ransomware actors most likely use significant financial events, such as mergers and acquisitions, to target and exploit businesses that are victims of ransomware infections. Before an attack, hackers look for publicly available information, such as a victim’s identity. inventory valuation, as well as non-public material information. If the victims do not pay a ransom quickly, ransomware actors will threaten to publicly release this information, which could backlash from investors.
The idea is for cybercriminals to identify companies that are at a critical juncture and exploit the fact that the company will want to avoid blowing the deal due to poor public relations following a data breach. Thus, in the minds of cybercriminals, the company is much more likely to pay the ransom. However, the FBI explains that it “does not encourage ransom payments to criminal actors” as it “emboldens adversaries to target other organizations, encourages other criminal actors to engage in ransomware distribution and/or may fund illicit activities”. Paying the ransom also does not guarantee that a victim’s files will be recovered.
Additionally, the FBI encourages companies going through a critical event such as a merger or acquisition to take the following steps to ensure the security of their networks and the consumer data held by those networks:
- Back up all critical data;
- Ensure that copies of critical data are uploaded to the cloud or downloaded to an external hard drive;
- Secure backups to ensure data is not accessible from the system where the original data resides;
- Install and regularly update anti-virus or anti-malware software on all hosts;
- Use only secure networks and avoid using public Wi-Fi networks;
- Use two-factor authentication for user login credentials;
- Use authenticator apps instead of email, as cybercriminals can control employee email accounts;
- Do not click on attachments or unsolicited links in emails; and
- Implement least privilege for file, directory, and network sharing permissions.
All companies in possession of consumer data have an ethical and legal obligation to keep it confidential. Although maintaining an adequate data security system is a significant burden for businesses, it is a necessary cost of doing business in an environment where hacking and cyberattacks are common. If a company doesn’t take its consumer privacy obligations seriously, it can be held liable through a data breach class action lawsuit. While it’s too early to tell whether RR Donnelly took the necessary precautions to protect consumer data from this type of attack, the breach raises serious concerns about the data security measures the company has in place. before the violation.
If you believe you have been affected by the RR Donnelly data breach, it is important not only to protect yourself from possible fraud, but also to understand your rights.