The following conversation between Deb Reuben and Howard Shiebler has been condensed and rephrased for conciseness.
Please share your background.
Shiebler: I worked for GE Capital for many years, in equipment finance, covering various deals and assets. In 2016, when GE Capital was exiting most of its finance businesses, I joined Crossroads.
Crossroads was a small truck and trailer finance company affiliated with a large truck dealership group in Southern California. They had also just acquired the license to do SBA (Small Business Administration) lending. Our SBA business is called Velocity SBA. I oversaw both businesses, and the owners wanted to grow them into a larger, independent company. That was 2017.
Since then, we have grown significantly. We have about a billion dollars in assets and originate almost a hundred million dollars a month in new business. We have about 175 professionals across both companies. We share some functions, like IT and finance, but run them as two independent businesses.
How did you discover the cyber-attack?
Shiebler: I came in on Monday morning in April and discovered our systems had been locked up. Our IT team shut everything down on Sunday night because we were under attack. Some hackers had breached our firewall and encrypted our main lease accounting system, front-end origination system, and shared files on our servers. It was shocking, and our business was brought to a halt. We rely on these systems to operate business day to day. We had cyber insurance for both businesses, and we contacted the insurance company, which sent a forensic team to help us understand the extent of the breach and how they could help get the business back up.
What was the extent of the breach?
Shiebler: We found out that the breach was very bad. Not only had the hackers locked up our systems, but they also deleted our backups on Amazon Web Services and our servers. They demanded two and a half million dollars to return our files and data. That was on Monday.
We decided quickly as a leadership team. I gathered the leaders, and we discussed the situation and depth of the breach. We realized we had no guarantee of getting our systems and data back. We decided we had to figure out how to rebuild it all.
How did you restore operations and get back to business?
Shiebler: We started working on that path, and within a week, we could approve deals by implementing a manual credit approval process. Our new front end was not yet ready; it was about 30 days from launch, so we were not fully prepared for the transition. However, we started using it to document deals but not for credit approval.
We faced a significant labor push to resume business with our customers. Unfortunately, we lost a considerable amount of business due to the delay. Speed is crucial in our truck and trailer business as deals need to be approved the same day and documents turned in within a day or two for funding. Since we couldn’t perform these tasks quickly, we lost the backlog and missed out on new business opportunities.
The leadership team had to meet daily to prioritize the necessary steps and address the challenges faced by the teams. This experience gave me a deeper understanding of the guts of our business operations and the complexities the teams were dealing with. Somebody joked, ‘You’re like the captain of an aircraft carrier that just took four torpedoes, and you’re trying to land airplanes, and somebody else is throwing grenades at you at the same time.’ It did feel like that because it was a never-ending barrage of people trying to figure out how to deal with whatever they were missing or how to deal with customer problems.
Customer problems and communication were significant concerns during this period. We went about 20 days without being able to collect ACH payments from customers. We informed our lenders that we could only make payments once the issue was resolved. They were understanding and supportive of our situation.
We managed to get the business back up and running, although operating at a slower pace. Meanwhile, I had daily discussions with my IT team and the insurance company to negotiate with the ransomware attackers. After approximately ten days, we reached a negotiation point and agreed to pay a substantial sum. Unfortunately, the bad actors could not unlock our systems due to a problem with the decryption process, which remained unclear to us.
It’s important to note that ransomware is a growing threat. We discovered that the attack was carried out by a Russian firm called LockBit, known in the industry for such activities. The insurance companies had previously encountered them, highlighting the increasing trend of ransom demands to unlock systems.
Finding Vulnerability Even with Investment in Security Measures
Shiebler: We discovered how they got in. Oddly, about two years before the attack, we hired someone to focus on our security protocols as our business was growing. We initially began by having an external firm assess our security and received a poor grade. However, this evaluation gave us a roadmap to strengthen our defenses, policies, and procedures. We had another assessment a few months before the attack, which yielded a better grade. However, there were still areas for improvement. We followed the security roadmap and felt confident we had invested time and money wisely in security measures.
Ironically, the breach was not due to our lack of security. The issue originated from a mistake made by the firewall company we employed. The person who configured the firewall unintentionally left their user ID and password, which were simple and should have been disabled after configuring the firewall.
The attackers identified this vulnerability during their attempts to penetrate the firewall. Through testing, they eventually determined the user ID and—using bots—it took them 25 days (about three-and-a-half weeks) to obtain the password and gain access.
I never would have thought to audit our firewall company’s procedures to ensure they didn’t make a configuration mistake. That should have been their area of expertise. Despite all our security investments, a vendor’s error created vulnerability. We would have successfully defended against the attack because of all the security protocols we implemented. But this vendor made a mistake that created a vulnerability for us that we didn’t know about.
Shiebler: In the future, we plan to implement redundant systems known as hot and cold systems. This involves having a current system as the primary (hot) one, and an independent backup (cold) system. If the hot system gets breached, we can seamlessly switch to the cold system. Although it is costly and challenging, it’s a worthwhile investment considering the potential losses we incurred during this process. Fortunately, we have insurance coverage, and the firewall company is likely to contribute to our recovery. However, going through such an ordeal is something nobody wants to experience.
Our SBA business faced a different issue. While their systems were not locked up, the attackers accessed customer information. Consequently, we are diligently communicating with their customers and addressing concerns about compromised information, its potential use or sale by bad actors, and the associated risks. This adds another layer of risk to the situation, despite the efforts we had previously invested in securing that aspect of our operations.
Having gone through this experience, knowing how much we invested in being safe and how crippling it was to experience a breach, I’m getting the word out.
As I talk to my peers in our industry, most of them realize they’re not really prepared. I was talking to one of my lenders who is the president of a regulated bank. And he said, ‘You scared me to death with what you told me. And I called an emergency executive leadership meeting. We brought in experts immediately to assess all this stuff. We developed an immediate urgent game plan because you scared me so much.’ I can’t even imagine what might be happening with small, independent finance companies that are potentially vulnerable.
A Growing Threat for the Equipment Finance Industry
Shiebler: The number of individuals engaging in such malicious acts is growing and attacks are increasing in terms of innovation and quantity. We can expect a higher volume of attacks in the future, as attackers may identify industries like ours as vulnerable targets. Suddenly they will say, ‘This is a great industry; let’s go after it hard.’
I’m motivated to share my insights with anyone interested. I want our industry to be well-defended and aware, avoiding disruptions and becoming targets. It infuriates me that we had to pay a large sum of money to these bad actors, inadvertently fueling their business.
What can leaders do to be prepared?
Shiebler: There are two key aspects to enhance security significantly. First, implementing two-factor authentication for system logins is crucial. Most successful attacks occur when someone mistakenly clicks on the wrong item in an email. Approximately 80% of breaches result from this type of attack, where the intruder remains unaware that their actions are being monitored, allowing someone to replicate their actions and gain access to the systems.
Engaging an external company for a comprehensive assessment is highly recommended. Numerous firms specialize in assessing email practices, company size, interactions with vendors, data sharing, data backup protocols, laptop usage policies, and more. This assessment should be the initial step.
Secondly, it’s essential to acknowledge that an attack can still occur even with robust security measures. Therefore, developing a plan to respond if systems are compromised and locked is vital. This planning should involve the entire leadership team, not solely technical personnel. Senior leaders should fully understand and actively engage in discussions regarding cybersecurity measures and backup plans. Creating a playbook for responding to a cyber breach should be a standard practice, like planning for other crises like earthquakes. As we learned from our experience, waiting until an attack happens to devise a response plan is not advisable.
Many leaders believe they have cybersecurity covered, often sharing what they have done after hearing about similar incidents. However, it’s apparent that their understanding is limited. Merely focusing on one aspect, such as email protection, is insufficient.
Instead, I advise everyone to assume that their current measures are inadequate; that whatever you’re doing isn’t enough. Let an outside expert come in and give you a grade and force you to develop a plan so that you can sleep well and know that you’re protecting your company.
I will be presenting at the ELFA Operations & Technology Conference and Exhibition in New Orleans on September 11-13. We are in the planning stages for it now. I’m sharing my story in hopes it will be helpful for people to hear about our experience and lessons learned to help protect them in the future.
In an ever-changing digital landscape, taking proactive steps, embracing thorough evaluations, and staying ahead of evolving threats with an attack response playbook can not only empower your organization to safeguard its valuable assets and ensure long-term resilience, but it can help you to be future-ready and sleep at night.
Howard Shiebler is the President of Crossroads Lease and Finance, a wholly owned subsidiary of the Velocity Vehicle Group, California’s largest commercial vehicle dealers. To hear him speak at the 2023 ELFA Operations & Technology Conference, click here. To watch a video of this conversation, visit ELFA’s Operations & Technology page.
Deborah Reuben, CLFP, is Chair of ELFA’s Innovation Advisory Council and CEO & Founder of TomorrowZone, an innovative consulting firm bringing forward-thinking insights and original ideas to help companies adopt digital, gain efficiencies, and design roadmaps for the future. She holds many industry leadership positions and authored The Certified Lease & Finance Professionals’ Handbook 6th-9th editions.