Industry News

Ransomware attack hits Pitney Bowes, impacting company mail rooms around the world

Global shipping and mailing service Pitney Bowes has fallen foul of a ransomware attack that has encrypted data on its computer systems and disrupted customer access to its online services.

In a statement published on its website, Pitney Bowes advised customers that it did not believe that client data had been compromised and that users’ postage meters were not at risk of infection.

However, warned Pitney Bowes, the ransomware attack against the firm had left customers unable to top-up the credit on their stamping devices, and SendPro products, postage refill, and access to the online account area had all been impacted.

The company has not named the ransomware which infected its systems, or detailed how large a ransom criminals have demanded (or indeed whether the company is prepared to pay a ransom to its extortionists).

“Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter,” said Pitney Bowes. “We are considering all options to expedite this process and we appreciate our customers’ patience as we work toward a resolution.”

As of Tuesday evening, Pitney Bowes was claiming via its Twitter account that it was “making progress” at recovering systems impacted by the malware infection, although they (perhaps wisely) did not offer a timescale by which it expected to be restored full operations.

It’s always worth remembering that recovering encrypted data is only part of the challenge for companies hit by a ransomware attack.

It’s also extremely important to understand how the malware infection occurred in the first place, and how it managed to bypass security measures and encrypt corporate data. If steps are not taken to plug security holes that a ransomware attack may have exploited there is always the danger that a reinfection might occur.

Earlier this month, the FBI unambiguously advised businesses that it does not recommend paying ransom demands to online criminals – in part because it encourages more ransomware attacks.

Prevention, of course, is always better than cure. Firms should invest in a layered defence to protect their infrastructure, educate staff about the risks, and ensure that a comprehensive reliable backup system is in place so – if the worst does happen – recovery can be expedited.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • "Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. "

    How is this statement from the FBI unambiguous? To me, it says that the FBI understands that businesses will need to make difficult decisions. Surely the "However" makes it highly ambiguous?

    • It's unambiguous because the other part is irrelevant. No matter what someone advises there will be people who do not listen. The FBI understands that businesses will have to make difficult decisions. That doesn't mean the FBI's advice is ambiguous. That's acknowledging that some don't do things the safest way.

      It's really that simple. The advice isn't related to the acknowledgement that some will do otherwise regardless. If everything was the way you read it then … Well fortunately things aren't – though many don't seem to recognise this. Unfortunately.

    • The previous paragraph says "The FBI does not advocate paying a ransom…"; then explains why. This is unambiguous advice.
      The next paragraph (quoted) expands on the why and merely acknowledges that businesses *can* make their own decision regarding payment; the FBI won't try to stop you