Full Report
According to a complaint filed by a former employee, cybercriminals exfiltrated records that held personal information like names and Social Security numbers belonging to 76,000 current and former employees of Paradies Shops.
Analysis Summary
# Incident Report: Paradies Shops Ransomware Data Breach and Subsequent Settlement
## Executive Summary
In October 2020, the airport retailer Paradies Shops suffered a ransomware attack, reportedly executed by the REvil group, leading to the exfiltration of personal data belonging to approximately 76,000 current and former employees. The company took eight months to notify data breach victims and state attorneys general, resulting in a class-action lawsuit alleging negligence and delayed notification. The incident concluded with the company agreeing to a preliminary $6.9 million settlement.
## Incident Details
- **Discovery Date:** Not explicitly stated, but breach activity concluded in October 2020, and notifications occurred eight months later (mid-2021).
- **Incident Date:** October 2020
- **Affected Organization:** Paradies Shops (Airport retailer with operations across U.S. and Canadian airports)
- **Sector:** Retail/Hospitality (Airport Concessions)
- **Geography:** U.S. and Canada (Atlanta-based headquarters)
## Timeline of Events
### Initial Access
- **Date/Time:** Five days in October 2020
- **Vector:** Ransomware attack, reportedly attributed to the REvil group. (Specific initial access vector not detailed in source.)
- **Details:** Attackers accessed the company's administrative system over a five-day period.
### Lateral Movement
- Details regarding extensive lateral movement were not provided, other than the attackers successfully accessed records containing employee PII.
### Data Exfiltration/Impact
- Cybercriminals exfiltrated records containing personal information, including names and Social Security numbers, belonging to 76,000 current and former employees.
### Detection & Response
- **How it was discovered:** Not specified.
- **Response actions taken:** Notifications were sent to data breach victims and state attorneys general eight months after the incident. The company later agreed to a $6.9 million class-action settlement.
## Attack Methodology
- **Initial Access:** Ransomware delivery mechanism unknown; access gained to administrative systems.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Implied by the exfiltration of PII including Social Security numbers.
- **Discovery:** Not detailed.
- **Lateral Movement:** Successfully moved to access employee data stores.
- **Collection:** Gathered records containing PII (names, SSNs).
- **Exfiltration:** Data was stolen/exfiltrated by the threat actors.
- **Impact:** Encryption/disruption (implied by ransomware designation) and large-scale PII theft.
## Impact Assessment
- **Financial:** Preliminary settlement of $6.9 million to resolve class-action lawsuit.
- **Data Breach:** Personal information (names, Social Security numbers) of 76,000 current and former employees.
- **Operational:** Not detailed regarding immediate operational shutdown, but the incident led to significant legal and financial ramifications.
- **Reputational:** Subjected to a class-action lawsuit alleging negligence and delayed transparency.
## Indicators of Compromise
- **Network indicators - defanged:** None specified.
- **File indicators:** None specified.
- **Behavioral indicators:** Compromise of administrative systems, data exfiltration over five days in October 2020.
## Response Actions
- **Containment:** Not specified, but containment efforts would have been required following the ransomware deployment.
- **Eradication:** Not detailed.
- **Recovery actions:** Actions taken to resume normal business operations following the intrusion and system compromise. Subsequently, the organizational response involved legal settlement negotiations.
## Lessons Learned
- The eight-month notification delay following the breach discovery drew significant legal scrutiny and fueled the class-action suit.
- The organization was accused of being negligent and careless in protecting collected employee data.
- Legal fees and settlement costs associated with data breaches (even when denying wrongdoing) can be substantial ($6.9M settlement).
## Recommendations
- Implement robust, timely incident response protocols mandating disclosure timelines compliant with state and federal regulations.
- Review and enhance data protection measures, particularly those securing sensitive employee PII like Social Security Numbers, especially when dealing with administrative systems targeted by ransomware groups.
- Conduct regular comprehensive security assessments to identify and remediate vulnerabilities that could facilitate prolonged access (five days demonstrated in this case).