AUGUST 14, FRIDAY: 20:00
That half of Spain fortunate enough to be on vacation was attempting to adhere to COVID-19 restrictions which we now realize were far too lenient. For insurance companies this was the eve of one of the busiest days of the year for traffic in Spain, with those starting or finishing their two-week vacation always making this a stressful time for most roadside service companies. Yet again this year, MAPFRE had everything planned and its service was ready to respond to the needs of its clients.
A massive cyberattack was launched against MAPFRE in Spain. On a daily basis, any company our size detects and neutralizes hundreds of thousands of similar events – attempts to gain access in some way to IT systems. But, right away it was clear that this one was different.This was a ransomware attack seeking to encrypt the company’s information and prevent it from operating, and it had not been launched against MAPFRE by chance.
A year earlier, August 2019, international cybercriminals began preparing the attack on MAPFRE. Their first decisions were to purchase domains that enabled them to get closer to the company. They also created a tailor-made hacking tool against MAPFRE, a new design that could not be detected by current antivirus systems, a virus specifically designed to target one single company in Spain. We discovered all this later on, thanks to the forensic analysis carried out by MAPFRE, in collaboration with the leading international firms specializing in combating cybercrimes.
Ransomware attacks soared by 500 percent in 2019, mainly targeting major multinational companies, institutions of all kinds and even governments. MAPFRE’s protective shield is up 24x7x365; as soon as the attack was triggered, an expert at the Security Operations Center in Majadahonda detected it and implemented the alert analysis protocol which immediately revealed the severity of the problem and sounded the alarm.
This was a ransomware attack seeking to encrypt the company’s information and prevent it from operating, and it had not been launched against mapfre by chance.
A year earlier, august 2019, international cybercriminals began preparing the attack against MAPFRE, creating a tailor-made hacking tool – a virus specifically targeting MAPFRE.
The Manager of MAPFRE’s Security Operations Center was informed of the attack and set about mobilizing the teams to deal with it, as envisaged in the Crisis Management and Business Continuity Plan, given that a cyberattack is one of the risks analyzed and modeled so as to be able to act immediately whenever one takes place. Minutes later the Corporate Crisis Committee sprang into action and, given that the initial impact was detected in Spain, MAPFRE España’s Crisis Committee was also mobilized. This attack was not by chance, as it sought to render the company powerless on one of Spain’s most critical days for service provision, particularly as regards roadside assistance.
That Friday was a very long night and the MAPFRE professionals did not hesitate when it came to interrupting their vacations and connecting from wherever they were, or heading to Majadahonda so all the areas involved could combat the attack in a coordinated fashion. A well-oiled, tried and tested machine is the best guarantee that it will work when it is most needed and time is of the essence. Such a virus swiftly starts encrypting computers and systems which, in a highly digitized company, leaves it totally “blind” as regards its ability to respond to clients’ needs.
Contain, Operate and Respond are the three strategies that start up in parallel. The Corporate Security Division and the Corporate Technology and Processes Area dealt with the initial phase – identifying the virus, analyzing its scope and containing its expansion. The first step was to isolate the data center by cutting off all communications with the outside world, and with the disaster recovery center. All systems had to be systematically shut down until the full extent of the impact was verified and an appropriate response defined. This total disconnection – isolating domestic operations from all the other countries – is what enabled the virus to be contained within Spain.
MAPFRE professionals did not hesitate when it came to interrupting their vacations and connecting or heading to their workplace to combat the attack.
The corporate security division and the corporate technology and processes area dealt with the initial phase – identifying the virus, analyzing its scope and containing its expansion. This total disconnection enabled the virus to be contained within spain
Operations likewise activated and coordinated a swift alternative response in Spain so as to be able to attend to clients’ needs the next day. The computers were all switched off and/or encrypted and so were of no use for habitual dealings with clients. The Si24 had to be reinforced and alternative procedures implemented; and shortly after half past two on Saturday morning, the system was already up and running. In barely four hours, voice connections had been enabled in call centers to ensure continued customer service and the Operations personnel who were working remotely headed to the MAPFRE facilities to be able to take calls. The application servers started recovering immediately using the backup system – which contained all the protected information and had not been compromised – thus demonstrating its technical strength.
We already had the antivirus. Despite this being a new kind of virus, specifically targeting MAPFRE, which evolved and honed its tactics for months until it found a way in, it took just six hours to develop the antivirus that was essential for starting the process of gradually recovering computers and systems in the most secure way possible. Priority was granted to the latter and, in general, all the technology related to customer service, which was the key factor that weekend.
The mass exodus of Spain’s citizens was underway, mainly by road, and the first incidents were registered. The Si24 was reinforced, but limitations remained that prevented it from responding as usual and this led to longer waiting times. The first few hours were particularly complex, but MAPFRE already had a secure environment that meant it could start restoring servers and computers in a prioritized fashion.
The Corporate Crisis Committee met to analyze an initial snapshot of the impact. Containment measures had worked, but Spain had sustained profound damage. Customer service was being provided, not with full normalcy, but was indeed functioning, thanks mainly to the response from MAPFRE España Operations and the dedicated commitment of all the personnel related to the customer service sector.
MAPFRE is a transparent company that establishes relationships built on trust with all its stakeholders. This sounds fine, but it is not merely a claim. No doubts whatsoever surround this true commitment. Companies or institutions affected by this type of attack usually do not report it, or only do so when they no longer have any choice. MAPFRE respects its commitments and decided to act with full transparency from the outset. It started by reporting the crisis to supervisors and regulators and, while there was no mass data leakage, it nevertheless offered all the information available at that moment in time. At three in the afternoon, i.e. within 24 hours of the attack and once a preliminary impact analysis had been carried out, the general public was widely informed through all the media outlets. Information and transparency prove the best allies when it comes to protecting a reputation. The general public understood that we were facing a highly professional attack against which no company, institution or government in the world is fully protected, and especially appreciated the commitment to transparency evident in the widespread communication of the facts. That was just the start; over the next few weeks the Corporate Security Division coordinated over 200 communiques reporting on the attack and its consequences, not just to the required bodies and agencies, but also, in general, to all those asking MAPFRE about the extent of the attack.
In just six hours, the antivirus was already available.
Within the first 24 hours and once a preliminary impact analysis had been carried out, the general public was widely informed through all the media outlets.
The corporate security division coordinated over 200 communiques reporting on the attack and its consequences .
The second wave of security reinforcement measures were progressively deployed to the other countries to protect against this new threat and establish a secure reconnection with them, as well as with our business partners, while the process of recovering the affected servers, databases and systems continued apace. Most importantly, the backup was safe and sound. The protocol envisaged for a cyberattack enabled decisions to be made from the very first minute and this enabled the company’s data to be saved.
From the third day, the resumption of operations progressively accelerated as operations with clients were recovered and stabilized. Within two weeks, 18,000 workstations were also relocated in more than 3,000 MAPFRE offices, among other actions undertaken. By the end of August, MAPFRE deemed this crisis over, insofar as its maximum priority – customer service – was concerned. And the decision was made to offer 100 euros upon renewal to compensate those we were unable to serve with our habitual standard of excellence, principally during the first few days and in relation to assistance benefits that had to be dealt with manually.
Internally, work continues to complete a full review and recovery of data. The thorough forensic analysis continues, as well as the worldwide investigation by the police forces combating this kind of terrorism. However, we overcame the critical first few days and, two months later, we clearly did so successfully. Moreover, the company had insurance protection against cybercrime that will assume part of the cost.
The rapid reaction confined the attack to Spain alone. The data was well protected and it thus proved possible to restore it. There are very few companies with this orderly response capacity. The subsequent reconstruction of events clearly revealed where they entered and where they left. It also enables us to guess which criminal organization was behind this attack specifically designed to hit MAPFRE. However, we should let the international investigation follow its course, so that an evergrowing number of institutions and countries can coordinate a more effective global response to such criminal acts.
5 LESSONS LEARNED
Total security does not exist. The attack was launched in August, but the terrorists had been preparing it for a year, investing hundreds of thousands of euros just to attack MAPFRE. And it is up to each one of us. A username and password captured by the attackers served as their entry point
Well-oiled machine. The best response is achieved by being prepared; we were able to react swiftly and effectively because we had analyzed and planned for it in the Crisis and Business Continuity Plan.
Human commitment. Highly committed professionals who reacted with total dedication and generosity from the very outset
Transparency as the way to defend our reputation. Informing our stakeholders increased the comprehension of all of them with respect to the crisis the company was facing
MAPFRE’s resilience demonstrating the business’s ability to continue operating under extreme conditions