Analysis: Americanas case widens unprepared to deal with cybersecurity

In the little that Americanas SA (owner of Americanas, Submarino and Shoptime) talks about the incident that affected its websites and its internal systems last weekend —and has already put the services down for three days—, the company avoids the term “hacker attack” and prefers “unauthorized access”.

Regardless of the terminology adopted — the definition of “hacker attack” is quite flexible — the case shows an abyss in the preparation to deal with digital defenses.

This lack of clarity in communication is part of the problem in a scenario where unauthorized access, unauthorized personal data leaks and illegitimate system lockdowns are only going to become more and more common.

The clarifications by Americanas are practically null, which even led to a notification from Procon-SP. Systems are shut down to protect customer data, as determined by the sheet, does not mean that there was no leakage. Not much is known, as, so far, Americanas has opted for silence.

Until the morning of this Tuesday (22), the brief comment issued by the group, saying that the systems suspended for security reasons, only appeared on the Americanas.com page.

Other sites, like Submarino and Shoptime, simply had an error. The message started to be displayed on both later.

Without transparency, it is difficult to conjecture what might have happened. The size of the damage gives a clue: according to an estimate reported by sheetexceeds R$ 100 million per day.

The Lapsus group, which claims to be the author of the attack and also claims to have been responsible for the Conectsus hack, released images indicating they were inside Americanas’ intranet — the content was later deleted.

By definition, an intranet is a network connection available only internally to members of an organization.

Again, without the clarification of Americanas, it is not possible to imagine how far the criminals’ level of access has reached. For a business of that size to be down for four days, you have to assume it was huge.

It is not at all common that a cyber incident response strategy involves taking a multimillion-dollar loss and melting the value of the company’s stock. In online commerce, cybersecurity teams’ priority should be to keep services available to users – otherwise, they may simply buy from a competitor.

Thus, the remaining explanations are: 1) the company is seeking to avoid even greater damage; 2) the hackers’ scrutiny was so great that the restructuring is very laborious —or impossible, if the IT teams are left without access to the systems—; or 3) the incident response plan was not as fine-tuned as it should have been.

At some point the defense failed. Either in not detecting a vulnerability that would allow such an impact, or in the preparation of the reaction, or in both.

Historically, the cyberattacks observed in Brazil are not of great technical excellence. They take advantage of simple failures that generate financial return, often taking advantage of vulnerabilities already known in the market, but not properly stagnated.

This is not about blaming the victim, however. The offensive that now impacts Americanas is part of a wave of cyberattacks that have been trumpeted for years by the few experts in the sector.

Today they were the ones, as recently as Renner, the Ministry of Health, JBS, Colonial Pipeline… And countless cases that don’t make the headlines, but will continue to add to the list.

The good news is that with the (cyber)crisis in Ukraine and this growing hacker wave, the way information security is handled seems to start to change and the sector is maturing.

There is an expectation of high investments in the area and the posture of relevant countries in the scenario, such as the USA, is evolving.

After some costly attacks and a series of attacks against the American electoral system, it was understood that it is necessary to create a safe ecosystem for all, with more transparency and collaboration between companies and government. It is useless for each one to take care of his own microcosm.

In an article published this Monday (21) in the magazine “Foreign Affairs”, the first US cybersecurity director, Chris Inglis, and his adviser Harry Krejsa, call for a change in posture in which security becomes central since beginning of development of digital products and systems.

The text comes shortly after the US Department of Justice announced a change in the way it will tackle cybercrime. The focus shifts to helping companies recover rather than arresting criminals.

Explain yourself: it is very rare to identify hackers and, as they are often in other countries, it is even more complicated to arrest them. Some analysis needed to investigate a cyberattack involves delaying the restoration of systems to look for criminals’ tracks, which causes damage.

Successfully, initiatives can begin a shift so that systems connected to the internet are better guarded, built with cybersecurity at their core. Until then, the digital wild west continues. Protect your data.