How ready is your food business for a cybercrime attack?
Arun Chauhan and Esther Phillips outline the dangers cybercrime poses to the food industry and ask whether businesses are truly prepared for a criminal attack.
Most businesses now understand the importance of investing in technology, training and infrastructure to prevent fraud and cybercrime; but what if the worst should happen and despite your efforts, your business finds itself victim of a cyber-attack leading to a risk of your confidential data being disclosed in the public domain?
Imagining the threat
Imagine an internal investigation is taking place in your business, revealing that counterfeit products have entered the market, or that you have discovered adulteration of a product used in your supply chain. The findings of your investigation have remained private and then a cyber-attack causes leakage of that information or the threat to reveal it.
What then? You have lost control of the narrative for your customers and also your approach to dealing with regulatory bodies. The threat is real, however, planning your reaction in real time of a fraud event taking place is not ideal. Knowing your options ahead of the challenge represents good governance, be that with the risk of cybercrime or other types of fraud risks facing the food industry.
Ransomware attacks often attract a lot of publicity and those behind such crimes have learnt that targeting big business can be very lucrative. Many will remember the infamous ‘Wannacry’ attack of 2017 which targeted organisations across the globe; most notably the NHS in the UK. In the same year, ransomware known as ‘Petya’ disrupted businesses in the US, Europe and Australia, including a Cadbury’s chocolate factory.
The aim of this kind of attack is to steal or encrypt data, then to alert the victim via an electronic message with threats to delete or publish the data unless a ransom is paid (often in Bitcoin). The immediate reaction is to try and retrieve the data without paying the ransom, but this has often proved to be impossible, not to mention costly. What would your organisation do? How would you react if that threat was made at 5pm on a Friday?
Many individuals and businesses will feel they have no option but to pay the ransom, but this is not a straightforward issue, with factors to consider such as whether a payment to the unknown fraudster would be a payment funding terrorism or other organised crime, or if it breaches the terms of a cyber insurance policy your organisation holds.
Whilst Bitcoin has become more mainstream, without the same regulatory controls as physical currency, it (and other cryptocurrencies) still affords its users a level of anonymity typically associated with criminal activity. Therefore, paying the ransom may not only be morally adrift, but may fall foul of local legislation. An additional risk is that once the ransom is paid, the threat is not removed and the attackers come back for more.
There may be many reasons why a business does not want its data publicised. On a general level, in the UK and Europe, all businesses have an obligation to safeguard personal data under the General Data Protection Regulation (“GDPR”). Therefore, data loss not only results in reputational damage and embarrassment but can also lead to heavy regulatory fines.
In the food industry, many businesses have closely guarded secrets about their products which they would not want in the public domain. The leaking of secret ingredients, recipes, methods and know-how could have long-lasting damage. This risk, coupled with industry recognition of the sector being at increased risk of cybercrime means all organisations, large or small, need to be alert to preventing and responding to a cybercrime event.1
Can the law assist?
There is lots of practical advice on helping your organisation prevent the risk of a cybercrime attack. It is not all about firewalls and software. The ultimate gateway into your organisation for a cybercriminal is by deceiving your people. Helping your people know the risks, have the skills to see a threat and the confidence that if they delay a critical transaction because they fear there is a risk of cybercrime that they will not be reprimanded, all aids the defence to cybercrime.
However, if a cybercrime event does occur, once all technical support avenues have been exhausted, your business may be in damage limitation mode. Unable to retrieve your data, and unwilling or unable to pay the ransom, what steps can you take to minimise the reputational damage your business is faced with?
If your organisation has been tricked into paying money to a fraudster, instead of a genuine supplier, there are legal remedies available to freeze accounts of the fraudster, to trace the money, and in very precise circumstances, potentially recover money from your bank.
However, when it comes to cybercrime causing the risk of leak or an actual exposure of confidential data, the UK courts may still help. There is an application (also known as an interim order) that a party can make to the High Court, available through the UK courts, which can prevent the disclosure of confidential data, and which can be extended to apply to ‘persons unknown’ ie unknown cybercrime attackers.
The interim order known as a ‘non-disclosure order’ has been utilised in breach of confidence litigation for many years. The use of the term ‘person or persons unknown’ is derived from the case of Bloomsbury Publishing Group Plc v News Group Newspapers Ltd  in which the ‘person unknown’ had stolen an advance copy of a Harry Potter novel which had subsequently found its way into the possession of The Sun newspaper. However, the phrase has since been ascribed to a wide variety of groups and individuals, including paparazzi photographers, blackmailers, trespassers and more recently cyber hackers.
In order to qualify for such a court order, you must have the requisite grounds for a claim for breach of confidence, namely:
- The information itself must have the necessary quality of confidence, ie, it cannot already be in the public domain
- The information must have been provided or made available in circumstances importing an obligation of confidence, ie, the defendant must have known or ought reasonably to have known that the information had been given in confidence
- There must be an unauthorised use of that information to the detriment of the party communicating it.
In circumstances where the identity of the hackers may never be known, one may question what the purpose of a non-disclosure order is, particularly when the court order may never be served on its intended recipient(s) (ie, the perpetrators ) or even brought to their attention?
However, the power of the non-disclosure order is in its indirect effect. Put simply, the existence of a non-disclosure order can act to prevent the publication of the stolen data by any third parties that find themselves in possession or control of it. For example, a news group or broadcaster, or individuals threatening to expose on social media.
In the case of PML v Persons Unknown  the non-disclosure order was not only served by email on the hacker themselves, but also on third-party website operators, thereby cutting off the hacker’s circulation and publication networks.
What if the litigation itself damages reputation?
In some circumstances, businesses may be reluctant to take legal action due to the public nature of proceedings. Certain factual scenarios or even threats and allegations (which are not necessarily true) may cause untold damage, particularly in the food industry where question marks over food integrity can have a lasting damage on brands.
Last year, Tesco made an application for anonymity in respect of the criminal prosecution of Nigel Wright, a farmer who had placed metal shards in jars of baby food as part of a scheme to blackmail Tesco into paying him the equivalent of £1.4m in Bitcoin. Tesco wanted to avoid the actions of Mr Wright, which presented a risk of loss of confidence in Tesco if made public, becoming known.
Tesco’s application was refused on the basis that the judge held that Tesco’s Article 6 (right to a fair trial) rights were not engaged (ie, by Tesco not being anonymised as the victim did not mean they would not be treated fairly in the proceedings). In addition, the judge did not consider the case to fall within the ‘classic mould’ of blackmail cases, consequently, Tesco did not require anonymity as it had not done anything disreputable or discreditable.
However, the cases of PML v Persons Unknown  and AA v Persons Unknown  (both cases dealing with anonymisation of the claimant in circumstances of corporate blackmail) were not referred to in the case in R v Wright, therefore it is considered that the principle of anonymisation in corporate blackmail cases is still in play.
Playing catch up
While for a long time the balance seems to have been in favour of the hackers or fraudsters, the law is now catching up and there have been a number of recent decisions from which victims of cyber-attacks can draw some hope. For example, in the latter part of 2019, the High Court held that cryptocurrencies constituted property under English law, paving the way for granting an interim injunction over a Bitcoin ransom.
There are still many issues to overcome, but the law is heading in the right direction, and the interim remedies discussed in this article may prove valuable in limiting the ability of the hackers to cause irreversible reputational damage.
As with all business enterprises, they evolve and innovate. Sadly, criminals are no different, which means the food sector has to continually assess and re-assess its approach to fraud prevention – including cybercrime.
Some small steps and changes in the food sector will enhance your products, but in other areas of your business such small steps and changes can protect the inevitable long-term damage of a cybercrime attack. Small changes can add up to a big result, after all.
About the authors
Arun is a director at the niche law firm Tenet Compliance & Litigation which provides advice on financial crime compliance, fraud investigations and recovery of losses due to fraud. Arun is also Deputy Chair of the highly respected charity, the Fraud Advisory Panel.
Arun has over 15 years’ experience as a solicitor advising on fraud-related matters, including employee fraud, bribery and corruption, investment fraud and professional negligence claims ranging in value of £50,000 to £10,000,000.
He is a regular speaker and trainer on counter fraud issues, an expert for the BBC on fraud related issues, and holds a post-graduate diploma in financial crime compliance with the International Compliance Association.
Esther trained at a national commercial firm in the areas of property, corporate, commercial and litigation, giving her versatility and breadth of knowledge.
Esther practices all aspects of commercial litigation with her cases particularly focused on fraud related company issues (such as breach of fiduciary duties), misrepresentation cases and professional negligence.
As part of her role at Tenet, she supports the Team on specific research tasks and more widely in terms of professional development. Esther’s role also incorporates knowledge sharing and engagement.