Most people are well-aware of the rapidly growing number of cyber-attacks in our modern digital economy. Only a few months ago, the accounting community was directly targeted through Wolters Kluwer’s CCH tax software and in the past week, Capital One was the victim of a major attack. Unfortunately, iNSYNQ and our customers have now been added to that list.
In early June a sophisticated malicious actor penetrated iNSYNQ servers and sat dormant until July 16th, when they remotely triggered a highly-targeted, carefully planned ransomware attack on one of our primary data centers, impacting a very large segment of our customer base. This planned, targeted attack was conducted by a cyber-criminal group that, according to the multiple experts we’ve been in touch with, used a previously unseen variant of the virus known as MegaCortex. Within an hour of the attack being triggered, we made the decision to shut down all of our impacted servers in that data center to minimize the impact to our customers and their data. Doing so allowed us to preserve the vast majority of our customers’ files.
Over the last 20 years of being in business iNSYNQ has made it a mission to be as diligent as possible against these types of attacks, and has always had mechanisms in place to protect its customers. One question that’s come up through this process is why backups were impacted during this attack. We want to be clear that our backups are on separate servers. The attackers targeted those servers that included backups in addition to the other servers. We had to turn all servers off when the attack occurred. While we were able to preserve the majority of our customers’ data and worked with Crowdstrike - a top cyber security firm - to ensure there was no lingering malware present, re-stabilizing systems proved to be an incredibly time-consuming process because of the need to rebuild thousands of customer’s desktops one by one.
At this time after the initial preliminary investigation, we have no evidence indicating that our customers’ data was exfiltrated (i.e., taken) or accessed as a result of this incident. Experts at Crowdstrike (along with other experts in the space) have not seen a MegaCortex attack through which data was exfiltrated; however we can’t know this with certainty until the investigation and forensic analysis underway have been completed.
As part of this attack the attackers demanded a payment from us. We have been asked by some customers “why not pay the ransom?” While we were prepared to pay the ransom, doing so in an attack such as this is considered a gamble and law enforcement recommended that we not do it. Once a cyber-criminal is paid, the risk of iNSYNQ being targeted in future attacks increases. In addition, paying the ransom wouldn’t have decreased the time it took to get our customers back up and running. The same process would have to be followed with one additional step of scanning the decryption key. Our main priority was to get our customers’ data back while minimizing risk exposure in the future.
Once the attack was triggered and law enforcement and our cybersecurity experts were called in, we immediately set to manually scanning and disinfecting systems. We then began to manually reconstruct desktops while developing additional software to further automate the process in parallel, as well as reinstall software applications such as QuickBooks, Microsoft Office, and Sage.
We were advised (and in some cases instructed by law enforcement) to not give too much detail in the likely case the hackers were listening for information that could be further used against us. Unfortunately, this put us in an uncomfortable position of having to withhold information. Understandably, many of our customers became frustrated at the perceived lack of transparency. While we are still in the midst of an ongoing criminal investigation and there are many details we still cannot share at this time, we are now at a point where we can shed further light on what happened for our customers, which we first presented in the form of an informative webinar this past Thursday afternoon, which can be accessed at this link.
We want our customers to know that we have taken in every piece of feedback they’ve had for us during this process, and are continuing to take immediate steps to assist with as many problem areas as possible as quickly as possible. We have already invested in new software that leverages artificial intelligence (“AI”) and machine learning to further enhance our security, as well as enhancing our firewall system to leverage the best technology available. We also have a team of approximately 90 cyber security experts from Crowdstrike working with us, as well as increased insights into how to prevent and manage a sophisticated attack like this moving forward.
Our goal is to not just come out of this as an undeniable leader within in the Accounting Cloud Technology market segment, but to earn back the trust of all of our customers who have invested in us. We are proud to be one of the first companies to have ever offered a hosted version of QuickBooks and to have spearheaded Intuit’s Certified Hosting Program. In the coming weeks we will be rolling out additional information regarding service enhancements for our customers who can be rest assured that not only is their data indeed safe with us, we will also continue to provide them the convenience and usefulness of our top-rated desktop as a service (“DaaS”) as we’ve done for the past 20 years.