However, the head of Kantsu’s IT department then said, “It’s impossible to restore all of our customers at once.”
Kantsu’s logistics operations are supported not only by its own employees, but also by external partner companies. President Tatsujo held an online meeting with these partner companies to explain the current situation and future recovery plans, and requested further cooperation.
Throw away all your old systems
More than two weeks after the cyberattack, Kantsu’s management team was faced with an important decision: what to do with the RPA and order placement systems that had been implemented. These systems had completely stopped functioning due to the cyberattack, but there was a possibility that these systems themselves had become a route for attacks.
“How long will it take to recover?”
In response to management’s question, the system manager replied, “It will take at least a month, but even if it is restored, there is no guarantee of safety.”
On hearing this, President Tatsujo decided that “we have no choice but to make the bold cuts.” The total amount is ¥700 million yen (about US$4.6 million). It’s a big blow to Kantsu, but it’s better than waiting for a system that the company didn’t know when it would be fully operational again.
“At that time, a security expert told me, ‘A house that has been broken into by a thief cannot be used without investigating everything from the entry point to the house itself. So we need to investigate thoroughly. Please give us one to two months to do so.’ Furthermore, the cost of the investigation alone would exceed ¥50 million yen [US$330,000]. However, if we spent a month on the system, all our customers would leave. These are circumstances that so-called security experts do not understand. After thinking about it for three or four days, I decided, ‘Let’s throw away all the old system and build a new one,’” President Tatsujo says.
As a result, the two security specialist companies were consolidated into one.
“We worked with two companies: a major security company and a venture company, but the major company specialized in investigations rather than recovery, which takes time. What we wanted was a speedy recovery. In that respect, the venture company acted quickly, formulating hypotheses as they investigated, and made flexible proposals to minimize risk while identifying the essence of the problem. We chose this company because we were looking for speed. Even when it comes to something as simple as security, I really felt that it was important to carefully determine which company was strong in what areas,” President Tatsujo adds.
Along with building the system, compensation for business partners is also important. Insurance companies were slow to clarify how much damage insurance would cover, but Kantsu had to quickly clarify how much compensation it would provide to business partners. To do this, it was necessary to determine the extent of the damage and explain it to insurance companies and business partners, but it is not easy to recover data that has been lost in a short period of time. If the data could not be recovered, it would be impossible to determine whether personal information had been leaked, and there would be no evidence to support a claim.
“We also had cyber insurance, but the insurance company said they wouldn’t cover the risk hedging limit. I don’t understand why we had cyber insurance. We needed a lot of cash to build the system and compensate our business partners, so we were extremely stressed,” President Tatsujo says.
The insurance claim certification process began in mid-December, three months after the incident. Ultimately, the full amount was paid, but while the system was being restored, it was unclear how much of the insurance money they could rely on. The reason they quickly obtained a loan from a financial institution was to avoid a worsening cash flow that would put them in a difficult position.
In the end, Kantsu suffered a total loss of ¥1.7 billion yen (US$11.1 million), including ¥700 million for system renewal and ¥1 billion for compensation. Nevertheless, they were able to announce a recovery internally at the end of October and externally on Nov. 1.
“No matter how much we defend, we cannot completely prevent [cyberattacks]. It is important to prepare incident manuals and recovery plans in advance so that we can respond even if we are hit by a cyberattack,” President Tatsujo says of the experience.
