Full Report
A PET retailer in West Lothian has fallen into liquidation after nearly three decades in business following a cyber-attack which left the firm with “no future”. At its peak, Pet Planet, based in Livingston, operated profitably and had revenues of £12 million as it offered customers a variety of products ranging from premium food to litter and toys. However, despite being in business since 1999, the firm collapsed on March 31, with administrators officially called in on Friday. Recent documents filed to Companies House showed that despite the firm receiving a boost in sales during the Covid-19 pandemic, directors refused to pay the “large ransom” from cyber-criminals last year who stole customer data. Filings showed that the company received £500,000 from its insurance company following the ransom, but the attack made “restoring revenue difficult”.
Analysis Summary
# Incident Report: Ransomware and Data Theft Leading to Corporate Liquidation
## Executive Summary
Historically profitable UK pet retailer **Pet Planet** was forced into permanent liquidation following a severe ransomware attack and data breach. Despite having a £12 million annual revenue and receiving a £500,000 insurance payout, the combined impact of customer data theft and operational disruption made the business unsustainable. After refusing to pay a "large ransom" in 2023, the firm collapsed in March 2024, resulting in total job losses.
## Incident Details
- **Discovery Date:** Late 2023 (based on filings mentioning "last year")
- **Incident Date:** 2023
- **Affected Organization:** Pet Planet (M360 Ltd)
- **Sector:** Retail (Pet Supplies)
- **Geography:** Livingston, West Lothian, Scotland
## Timeline of Events
### Initial Access
- **Date/Time:** 2023 (Specific date not disclosed)
- **Vector:** Not explicitly disclosed (Likely external-facing vulnerability or phishing)
- **Details:** Attackers gained access to internal systems and exfiltrated sensitive customer data.
### Lateral Movement
- Details regarding lateral movement techniques were not disclosed in the public liquidation filings.
### Data Exfiltration/Impact
- Threat actors successfully stole customer data from the firm's databases.
- Ransomware was deployed, or a ransom demand was issued based on the threat of leaking stolen data.
### Detection & Response
- **Detection:** The firm detected the intrusion and subsequent "large ransom" demand.
- **Response:** The board of directors refused to pay the ransom.
- **Insurance:** The company successfully claimed £500,000 from their cyber insurance provider.
- **Liquidation:** Firm officially entered liquidation on March 31, 2024; administrators appointed Friday, April 5, 2024.
## Attack Methodology
- **Initial Access:** Unknown
- **Persistence:** Not disclosed
- **Privilege Escalation:** Not disclosed
- **Defense Evasion:** Not disclosed
- **Credential Access:** Not disclosed
- **Discovery:** Not disclosed
- **Lateral Movement:** Not disclosed
- **Collection:** Gathering of customer PII (Personally Identifiable Information).
- **Exfiltration:** Large-scale theft of customer databases.
- **Impact:** Financial extortion through ransom demand and crippling of revenue-generating operations.
## Impact Assessment
- **Financial:** Total loss of firm; £12 million in peak revenue lost; £500,000 insurance payout (insufficient for recovery).
- **Data Breach:** Theft of customer data (volume not specified).
- **Operational:** "Restoring revenue difficult" following the attack; total cessation of business.
- **Reputational:** Liquidation of a company that had been in business since 1999; all staff made redundant.
## Indicators of Compromise
- **Network/File/Behavioral Indicators:** Specific technical IOCs have not been released by administrators or the Scottish authorities at this time.
## Response Actions
- **Containment:** Refusal to engage in ransom negotiations.
- **Recovery:** Attempted to leverage £500,000 insurance payout to rebuild/sustain operations.
- **Liquidation:** Appointment of administrators from FRP Advisory to wind down the company.
## Lessons Learned
- **Cyber Insurance Limits:** Even a significant insurance payout (£500k) may be insufficient to cover the long-term "tail" of a cyber-attack, such as customer churn and operational friction.
- **Ransom Decisions:** While refusing to pay a ransom is ethically and legally recommended, organizations must have a secondary "catastrophic recovery" plan to prevent total business failure.
- **Retention Policies:** Storing 25+ years of potential customer data increases the "blast radius" of an exfiltration event.
## Recommendations
- **Immutable Backups:** Ensure off-site, offline backups are available to restore revenue-generating systems without paying ransoms.
- **Business Continuity Planning (BCP):** Conduct tabletop exercises specifically for "Refusal to Pay" scenarios to understand financial viability post-attack.
- **Data Minimization:** Regularly purge old customer data to reduce the leverage held by attackers during data theft-based extortion.
- **Enhanced Perimeter Defense:** Implementation of MFA (Multi-Factor Authentication) and EDR (Endpoint Detection and Response) to prevent the initial breach.