Service resilience and software risk - the evolving landscape
Am I the only person that has noticed recent events that highlight the financial impact of software-related service outages and the variety of people and organizations affected?
Capita in the UK recently reported in its annual accounts on the financial fallout from a series of cyber incidents as well as the cost of exiting various businesses. Capita provides software and IT services to government and private companies. It suffered a data breach in March 2023 which compromised details of more than half a million members of the UK’s private sector pension schemes. In a separate data breach in May, files containing details on local council benefit payments were left exposed on an unsecured Amazon data bucket[1].
Between April and July 2023, all three major cloud providers suffered regional outages[2]. The largest AWS region (us-east-1) degraded severely for 3 hours, impacting 104 AWS services. A joke says that when us-east-1 sneezes the whole world feels it, and this was true: Fortnite matchmaking stopped working, Mcdonald's and Burger King food orders via apps couldn’t be made, and customers of services like Slack, Vercel, Zapier and many more all felt the impact. A Google Cloud region (europe-west-9) went offline for about a day, and a zone was offline for two weeks (europe-west-9-a.) Azure’s West Europe region partially went down for about 8 hours due to a major storm in the Netherlands. Customers of Confluent, CloudAmp, and several other vendors running services out of this region suffered disruption.
Blackbaud specialises in financial, fundraising and admin software pitched at educational institutions and non-profits. The attack on its systems in 2020 is known to have impacted the data of multiple UK universities, including Aberdeen, Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Reading, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London. Non-profit victims include Action on Addiction, Breast Cancer Now, the Choir with No Name, Maccabi GB, the National Trust, Sue Ryder, the Urology Foundation and the Wallich. Data on Labour Party donors was also taken.
Blackbaud has previously been penalised by the Securities and Exchange Commission, the US financial regulator, over its misleading response to the cyber attack. Additionally, last year, it reached an agreement to pay $49.5m, split across all 50 US states, to resolve claims that it violated state laws and the federal Health Insurance Portability and Accountability Act. It was also reprimanded by the Information Commissioner’s Office in the UK[3].
Meta’s Facebook and Instagram services were down on Tuesday 5th March[4]. A more than two-hour outage was caused by a technical issue and impacted hundreds of thousands of users globally. The disruptions started at around 10 AM ET (1500 GMT), with many users saying on rival social media platform X they had been booted out of Facebook and Instagram and were unable to log in. The outage was probably caused by an issue with a backend service such as authentication: at the time it was suggested that there had been corruption of the backup data which made it essential to close the platform completely to restart.
The British Library’s 31st October 2023 cyber attack led to a leak of employee data[5]. The attack has also resulted in the library's website being down until January 2024 making it impossible for library readers to locate or order materials.
The Rhysida ransomware group claims to be behind the attack, and say they will auction off the stolen data. The cyber gang say the price for data, that includes passport scans, has been set at 20 Bitcoin (£596,459). The Rhysida group said it was behind the attack and shared a corroborating image on the dark web showing various documents, some of which appear to be HMRC employment contracts and passports.
The British Library, the UK's largest library, posted on X, saying: "Following confirmation last week that this was a ransomware attack, we're aware that some data has been leaked. This appears to be from our internal HR files."
However, it added that it has "no evidence that data of our users has been compromised", and it has not confirmed that the data being sold at auction belongs to British Library employees. A National Cyber Security Centre (NCSC) spokesperson said it was working with the library to "fully understand the impact" of the incident. They added: "Ransomware is the key cyber threat facing the UK, and all organizations should take immediate steps to limit risk by following our advice on how to put in place robust defences to protect their networks."
What can organizations do to protect their business? Some systems cannot be down for a few hours. Other systems store sensitive – or merely private – data. IT leaders have as one of their responsibilities, to understand the vulnerability of their organization to failures in software supplied either as components or as a service. They are the front line of defence.
- Gill Ringland
FBCS, FWAAS. ICL Fellow, SAMI Fellow Emeritus
BCS IT Leaders’ Forum Executive Committee Member
Citations
[1]Financial Time “Capita shares slide 22% after higher than expected loss”, 7th March 2024.
[2]https://newsletter.pragmaticengineer.com/p/handling-a-regional-outage-comparing
[3]https://www.computerweekly.com/news/366568994/Blackbaud-blasted-for-failing-to-prevent-customer-breaches
[4]https://www.reuters.com/technology/metas-facebook-instagram-down-thousands-downdetector-shows-2024-03-05/
[5]https://www.bbc.co.uk/news/entertainment-arts-67484639