Reconstructed Data Breach Timeline
On 19 February 2021, fashion brand and retailer Guess discovered a cybersecurity incident designed to encrypt files and disrupt their business. Guess immediately activated their incident response plan and engaged a cybersecurity specialist to assist. Following their investigation, it became clear that an unknown perpetrator gained unauthorized access to certain Guess systems between 2 and 23 February 2021. Towards the end of May, the company found out that the hackers had accessed sensitive personal information of certain employees and contractors. This information included social security numbers, driver’s license numbers, passport numbers and financial account numbers. Guess did not say if any customers were affected. The company only confirmed that hackers did not leak “customer payment card information”. Further investigations revealed the identity of the people who had fallen victim to the attack. Last week, Guess started mailing notification letters to those individuals. The fashion brand now offers complimentary one-year credit monitoring and identity theft protection services to any person impacted by the cybersecurity incident. They also implemented additional measures to enhance the security of their network.
DarkSide Claimed Credit for the Attack
Although Guess did not disclose any details about the origin of the breach or the likely threat actor behind the attack, experts believe that the leak was part of a ransomware attack that happened in February and was carried out by the Russian hacker group DarkSide. Two months later, the fashion retailer appeared on a data breach site of victims of that hacker group. Privacy advocate “Dissent Doe”, founder of Databreaches.net, interviewed DarkSide operators about their approach to their ransomware operations. Apparently, the gang openly boasted about stealing 200 GB of data and posted a number of samples as proof. DarkSide also publicly advised Guess to “use their insurance”. “Always before putting the amount of ransom, we study the internal reporting of the company and definitely understand how much they can really pay, all our partners work in the same way and we always remind about it. Basically, we do not require more than the amount of cyber insurance, but we cannot always check the actions of our partners”, explained DarkSide in the interview.
Ransomware-as-a-Service
DarkSide has been active since at least August 2020. The group runs a Ransomware-as-a-Service (RaaS) operation that uses corporate like methods. In RaaS operations, ransomware operators provide malware to third parties for a portion of victims’ ransom payments. These third parties are essentially ransomware groups’ customers, also known as affiliates. The gang allegedly ceased their operations in May when their attack on Colonial Pipeline sparked international condemnation and increased scrutiny from law enforcement. Colonial Pipeline paid nearly $5 million in ransom to DarkSide hackers. In a world’s first, the FBI managed to recover nearly half of the ransom. They did this by secretly gaining access to DarkSide’s bitcoin wallet. In Guess’s case, there are many unanswered questions. How did the breach happen? Why was sensitive information, such as social security numbers and financial account numbers, stored in clear text? US fashion brand Guess is listed on the New York Stock Exchange. They have over 15,000 employees, approximately 1,580 stores worldwide and a revenue of $2.7 billion. The company’s share price dropped 4.69% in the last 6 months. But, so far, the disclosure of the data breach seems not to have had any real effect on their financials.
