The global security firm Prosegur was hit by a massive ransomware attack, resulting in alarm installations and other connected systems worldwide being shut down, even as the Spanish company holds ISO 27001 certification attesting to its information security management system.
Prosegur announced this week that it manually shut down its entire worldwide server operations, affecting 170,000 employees and hundreds of thousands of companies across the globe. The hack impacts on Prosegur’s entire range of operations, from cash security transportation, online transactions, information security systems, security guard control centers and communications, to over 100,000 ATM cash machines. The company was hit with the Ryuk ransomware attack, indicating it was likely triggered by an employee who inadvertently clicked a malware link, rather than an intentional server intrusion.
Prosegur’s cybersecurity division holds ISO 27001 certification issued by AENOR, the Spanish accreditation body. It was not immediately clear which accreditation body was involved, but AENOR holds multiple accreditation by ANAB, ENAC and others. All are members of the IAF.
ISO 27001 certification is supposed to attest to the company’s internal systems for prevention of such incidents, and protection of the company’s data, including that of its customers.
The Ryuk virus locks server systems until a ransom in Bitcoin is paid. It is not clear if Prosegur is arranging to pay the ransom or attempting to undo the hack through internal means.
Previously, the credit reporting agency Equifax was subject to the biggest data breach of consumer financial data in human history, while holding ISO 27001 certification from another accredited body, EY Certifypoint, a branch of Ernst & Young. At the same time, financial auditors of Ernst & Young had overlooked the security systems during their own audits, raising questions of conflicts of interest.
Since the hack, it was also reported that Prosegur had failed to update basic website SSL licenses, potentially opening up public-facing websites to additional hacks. Such a lapse should not be possible if Prosegur was undergoing thorough audits by AENOR.
The IAF and the accreditation bodies have refused to take action on CBs that are found to have issued certifications to companies later involved in scandals, crimes or lapses directly related to the management systems under such certifications, even when such lapses have resulted in death.