Multiple DXC Technology Customers Down After Insurance Arm Hit By Ransomware

'DXC is actively working with affected customers to restore access to their operating environment as quickly as possible,' the company said in a statement Sunday.


Multiple DXC Technology customers are down following a ransomware attack against a part of the company that sells insurance industry software.

The company said it is taking “containment” measures to ensure the virus does not spread beyond the subsidiary.

“The company has implemented a series of containment and remediation measures to resolve this situation,” the Tyson, Va.-based business process outsourcing company said in a statement. “DXC is actively working with affected customers to restore access to their operating environment as quickly as possible. DXC is also engaging with law enforcement and appropriate cyber agencies.”

Sponsored post

The attack targeted “certain systems” of Xchanging, an insurance managed services business, which DXC said operates on a stand-alone basis. DXC said it is “confident” that the ransomware was isolated to this business and did not infect other systems.

Xchanging is an Australia-based business that focuses on insurance industry software, according to the subsidiary’s website.

“ Xchanging has concentrated on the systems and processes that are common to all forms of insurance change,” according to the company’s website. “Instead of repeating the mistakes made in the past, we have developed the world class Xuber Insurance Software to enable the future. Based on our own proprietary platform, we have refined the building blocks of any insurance software product.”

[Related: Cognizant Breach: 10 Things To Know About Maze Ransomware Attacks]

The DXC Xchanging breach is just one more sign that the “No. 1 issue” facing MSPs is the growing number of breaches that are wreaking havoc on them and their customers, said David Powell, a longtime MSP who recently became senior vice president of sales for up-and-coming MSP security provider Perch Security.

“This is absolutely the No. 1 issue facing the channel,” said Powell, who last month joined Perch from MSP superstar Corsica Technologies. “MSPs are not taking this security issue seriously enough and as a result they are leaving their customers open to the downside risk of a breach.”

Powell said he is not surprised by the news of yet another MSP being hit by bad actors who have become experts at using MSP tools to breach MSP customers.

“As much as you would like to think this is an isolated incident, this is going to become increasingly more common,” he said. “The bad guys are on to the MSPs. They know the MSPs hold the keys to the downstream customers. MSPs are going to have to take the measures necessary to secure themselves and their clients.”

Powell compared MSPs to the security chief with a master key for a 500-unit apartment building. “The question is: Is it easier for cybercriminals to break into 500 individual apartments or is it easier to break into the supervisor’s apartment and get the master key so you can unlock all 500 apartments?” he said. “The MSP is that supervisor with all the downstream clients that are being impacted by a breach. What you really want is the MSP to improve what they are doing from a security standpoint and then extend it out to their clients.”

Powell praised DXC for releasing a full statement on the breach and being transparent with regard to the security issue. “Props to DXC for being open about this,” he said. “This brings awareness to this whole security issue and creates a call to action for MSPs to do something about it. More people need to know this kind of breach is occurring. It sounds like DXC is taking the right steps to remediate this. This is another warning sign that MSPs need to do something about this. How many people in your neighborhood need to get broken into before you get an alarm system?”

Powell advised MSPs to adopt a full security stack and align themselves to high-profile security standards like the NIST 800-171 federal cybersecurity standard or the Department of Defense Cybersecurity Maturity Model Certification (CMMC). “MSPs need to enforce security discipline internally around all their processes and systems,” he said.

Perch itself recommends that MSPs first adopt Perch internally before extending it to customers. Perch includes both a 24/7 co-managed threat detection and response backed by its own Security Operations Center and a nex-generation SIEM (security information and event management) platform.

“Perch is on the front lines of helping MSPs increase their security approach,” he said. “We are helping MSPs build out security for themselves. The first thing we tell our MSP customers is to deploy Perch in their own environment first and then look to extend it into customers.”

Brett Callows, threat analyst with cybersecurity company Emsisoft, told CRN Monday that while many companies say their data is secure, they often later find that is not the case.

“Most ransomware groups do now steal data and many organizations' initial assessments that no data was stolen are subsequently proven to be wrong,” he wrote in an email. “Working out what did or did not happen in the aftermath of an incident is far from easy and requires a forensic investigation that can take several weeks.”

DXC is the latest enterprise-grade solution provider to get hit by ransomware hackers—who have seemingly stepped up attacks against larger targets this year—following Cognizant, which was struck in April, and Conduent, which was hit in May. Xerox also said it was attacked last week.

Cognizant has been forthcoming about its ordeal, telling investors that it could cost between $50 million to $70 million to clean up the damage following a Maze ransomware attack against its systems. That attack cut off internal communications between some employees who had just switched to working remote, leaving them unable to reach customers for a time, and prompting them to use other means of communications, the company said.

Conduent said the May 29 attack—which used the Maze ransomware—was centered on the company’s operations in Europe. Maze is a particularly insidious form of ransomware that steals the data it encrypts and then holds it hostage.

In the Conduent attack, Maze hackers appear to have published two ZIP files that contain documents related to the company’s work with Vodafone in Germany. The files were released Wednesday on a site that publicizes Maze attacks.