Pendragon's zealous response to LockBit ransomware is a breath of fresh air

I’ve written numerous pieces for IT Pro on my thoughts around incident response to cyber attacks. I find it uniquely interesting from a business perspective, purely because so many companies keep failing miserably in this regard.

It’s why I feel compelled to sing the praises of organisations that do, in fact, get it right. UK-based car dealership group Pendragon is the latest to pique my interest for its response to a LockBit ransomware incident it suffered last week. In the midst of a rumoured £400 million takeover bid and a high-street defacement by Just Stop Oil, the company still managed to hit all the right notes when it came to its incident response.

First of all, it created a dedicated page on its website to provide customers, media, investors, and other stakeholders with regular, timestamped updates on how it was dealing with its response. It was the same tactic deployed during Norsk Hydro’s 2019 ransomware incident, one of a number measures the manufacturer took that led many, including myself, to dub it the ‘gold standard’ of incident response case studies.

I’m still yet to encounter an incident where a company has been more responsible and impressive with its response than Norsk Hydro three years ago. It’s a shame considering how widely documented it is that businesses recover better when their incident response is expeditious, open, and honest.

Of course, there are regulations across Europe that mandate public disclosure of significant cyber incidents within specified time frames. The UK’s Information Commissioner's Office (ICO), for example, enforces disclosure within 72 hours of detecting the incident and any disclosures outside of that window require a full explanation. GDPR paved the way for responsible disclosure, but organisations are still not required to go into the depth and detail that Pendragon has chosen to. Kudos all around.

The state of affairs in the US is a sorry one, though. It’s far from the most recent, or even the most egregious, of cases but the one that always sticks in my mind is GoDaddy’s breach in 2021. The incident was only unearthed by savvy journalists, seasoned in the art of sifting through the unintuitive SEC filing systems, who found the details of a breach affecting more than 1.2 million customers. Once the media broke the news, the company decided to go public, but still with only the very bare minimum level of insight customers deserved.

Pendragon clearly employs security specialists that are on top of their game and understand industry best practices for these types of scenarios. The company declared almost immediately that it would refuse to pay the $60 million (£53 million) ransom issued by LockBit and promptly won an interim injunction from the High Court to prevent the hackers from leaking the data they stole in the process of the attack.

LockBit is a double and triple extortion ransomware organisation, the attacks from which almost always involve data theft as well as data encryption. It also is known for allowing customers around seven days to either pay the ransom or negotiate it down through direct contact with the group. If no payment is made during this time then sensitive data is leaked on the dark web, opening up the victim to regulatory penalties.

In addition to the superb public disclosure, the company confirmed in a press release that it quickly alerted all of its manufacturing partners and its circa 4,000 staff too, in addition to the requisite authorities.

It’s never a pleasant task having to report on ransomware attacks, but when companies like Pendragon go the extra mile to handle it in the right way, in a regulatory climate that doesn’t compel it to, it does bring me some joy in giving credit where it’s due.

I won’t go far as to say it’s the perfect response, and there is definitely room for improvement in the level of detail it supplied regarding its recovery process, for example, but the care the company has clearly taken to ensure everyone involved is well-updated is heartening. It’s also an approach I hope to see adopted by more companies going forwards, though, in my experience, it’s not worth anyone holding their breath.

Pendragon’s official statement regarding the security incident:

“We have identified suspicious activity on part of our IT systems and have confirmed we experienced an IT security incident. This has not affected our ability to operate, and we continue to service our customers and communities as normal.

“Upon discovery, we took immediate steps to contain the incident. Our security specialists launched an extensive investigation to assess fully what has happened and we’ll be keeping our customers and partners updated. To add, the Pinewood Dealer Management System was and remains completely unaffected.”