In its Form 424B3, the Italian luxury group characterized the incident last year as an extensive ransomware attack “that impacted the majority of our IT systems.” While its previous disclosures appear to include similar language, cyber security experts and websites latched onto this detail as confirmation of what they suspected for months: The fashion house wasn’t merely hacked, but extorted in a failed bid to make it pay up.
Ransomware attacks — which typically involve breaking into systems, stealing or locking data and then holding it for ransom — are considered among the most pernicious forms of hacking. Government entities, utilities and other organizations are frequent targets, but the retail sector has seen more of these types of malicious attacks in recent years.
Most victims pay the ransom, but the luxury apparel company wouldn’t hear of it.
Cyber security site Bleeping Computer and others picked up on this part of Zegna’s latest filing: “As we refused to engage in discussions relating to the payment of the ransom, the responsible parties published certain accounting materials extracted from our IT systems,” it wrote. “We publicly announced the IT systems breach and gradually restored our IT systems from secure backup servers during the weeks following the breach.”
Having gone public last December in the U.S., Zegna has submitted several SEC filings, and some of them refer to this ransomware attack. In WWD’s review of this section of the text, there was one notable difference between its previous disclosures and recent ones: The word “accounting” was apparently added to describe the materials the attackers published. The change was introduced in its Post-Effective Filing Amendment, dated April 6.
It’s not clear exactly what the “accounting” data refers to, or what impact this breach may have had on the business or its partners. The company didn’t respond to a WWD request for comment.
The incident came to light in August when the company acknowledged the breach in a public statement. At the time it didn’t explain the nature of the attack, but cyber security experts took note when ransomware group RansomEXX claimed responsibility for stealing more than 20 gigabytes of the company’s data. Having just hacked systems in Italy’s Lazio region, the gang went on to leak 43 archives filled with Zegna’s documents.
“As these things go, it’s fantastic that Ermenegildo Zegna recovered without capitulating to the cyber criminal gang’s ultimatums,” said Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel. “Not paying cyber criminals’ extortion demands is one of the most effective ways to deter cyber attacks, but far too few companies that find themselves in similar situations restore operations in a timely fashion.”
That’s harder and more costly than it sounds, especially for retailers.
According to cybersecurity firm Sophos: “The retail sector became a top target for ransomware and data-theft extortion attacks…[as] cyber criminals were quick to exploit opportunities presented by the pandemic, which in the retail sector was primarily the rapid growth in online transactions.”
In its 2021 State of Ransomware in Retail report, which looked at midsized operations, retail and education stood out as the hardest hit, with 44 percent affected, compared to 37 percent across all sectors in 2020. Retail businesses are also particularly vulnerable to “extortion-only” attacks, like the one directed at Zegna, which threaten to leak stolen data if ransom demands aren’t met. In the survey, more than one in 10 retail victims experienced this, at nearly double the cross-sector average.
The difference between locking companies out of their data and threatening to leak it matters, according to Erich Kron, a security awareness advocate at KnowBe4, a firm that specializes in IT security awareness and training.
Zegna recovered thanks to its backups, but “modern ransomware gangs often operate by exfiltrating data and threatening to release it publicly as well as encrypting it,” he explained. “[That is] a problem that backups did not solve, resulting in the publishing of over 20GB of data to the internet.” In some cases, if the stolen records include employee or customer information, the situation could result in significant fines from regulators, Kron added.
Under the General Data Protection Regulation, brands that do business in the European Union must report data breaches quickly, especially if they involve personal records. The regulation sets a 72-hour deadline starting from when a company becomes aware of the event. Failure to comply can trigger stiff penalties of as much as almost $22 million or 4 percent of global revenue, whichever is higher.
Even without fines, the cost of being hacked still isn’t cheap. Sophos calculated that retailers paid an average ransom of $147,811. Along with other factors, such as downtime, the work to patch security vulnerabilities and more, the actual cost to retail victims averaged out to $1.97 million.
If large fashion and luxury brands make for even more tempting targets, it may not surprise Zegna or others like Guess, Boggi Milano, FCUK, Graff and Lojas Renner, all of which were infiltrated last year by ransomware groups.
An attack on Moncler slipped in days before the new year, the company acknowledged in January, but like Zegna, it refused to submit to the shakedown. Weeks later, AlphV/BlackCat, which claimed credit for the cyber crime, leaked stolen company data that included information about current and former employees, vendors, consultants, partners and customers.
This string of online crimes may seem alarming, but it doesn’t necessarily mean that bad actors are specifically singling out premium fashion companies. It’s more likely due to fashion’s place as part of retail, which is facing a surge in threats, especially in e-commerce.
SonicWall’s 2022 Cyber Threat Report noted that over the past 12 months, e-commerce and online retailers saw a stratospheric jump in ransomware crime of 264 percent. It’s a far cry from governments and industries like health care, which fared far worse with 1,885 percent and 755 percent increases, respectively. It also can’t touch the biggest attempted ransomware attack of the year — or perhaps ever — which was the attempted fleecing of IT infrastructure company Kaseya for $70 million in bitcoin.
Even luxury brands haven’t faced that level of threat, or at least haven’t reported it. Experts such as KnowBe4’s Kron haven’t seen indications that they’re being targeted either, he told WWD.
But he also noted that “any well-known brand could suffer more from a reputational angle than unknown brands,” so they should take plenty of care. Because certainly no maison wants a reputation for being lax on data security when their customers’ information is at stake.