However, the head of Kantsu’s IT department then said, “It is impossible to restore all of our customers at once.”
Kantsu’s logistics operations are supported not only by its own employees, but also by external partner companies. President Tatsuzo held an online meeting with these partner companies to explain the current situation and future recovery plans and requested further cooperation.
Throw away all your old systems
More than two weeks after the cyberattack, Kantsu’s management team faced a critical decision: what to do with the implemented RPA and order placement system. These systems had completely stopped working due to the cyber attack, but there was a possibility that these systems themselves had become the path of attacks.
“How long will it take to recover?”
In response to management’s question, the system manager said, “It will take at least a month, but even if it is restored, there is no guarantee of security.”
Hearing this, President Tatsuzo decided that “we have no choice but to make major cuts.” The total amount is ¥700 million yen (about US$4.6 million). This is a big blow to Kantetsu, but it’s better than waiting for a system that the company didn’t know when it would be fully operational again.
“At that time, a security expert told me, ‘A house that has been broken into by a thief cannot be used without checking everything from the entry point to the house itself. So we need to do a thorough investigation. Please give us one to two months to do this.’ Furthermore, the investigation alone would cost more than ¥50 million yen (US$330,000). However, if we spent a month on the system, all our customers would be gone. These are situations that so-called security experts do not understand. After thinking about it for three or four days, I decided, ‘Let’s throw away all the old system and build a new system,” says President Tatsuzo.
As a result, the two security specialist companies were consolidated into one.
“We worked with two companies: a major security company and an enterprise company, but the lead company specializes in investigation rather than recovery, which takes time. What we wanted was a quick recovery. In that regard, the enterprise company worked quickly, formulated hypotheses during the investigation, and made flexible proposals to mitigate risk while identifying the essence of the problem. We chose this company because we were looking for speed. Even When it came to something as simple as security, I really felt it was important to carefully determine which companies were strong in which areas,” says President Tatsuzo.
Along with building the system, compensation for business partners is also important. Insurance companies were slow to clarify how much loss the insurance would cover, but Kantsu was quick to clarify how much compensation it would provide to business partners. To do this, it was necessary to determine the extent of the damage and explain it to insurance companies and business partners, but it is not easy to recover lost data in a short time. If the data could not be recovered, it would be impossible to determine whether personal information was leaked, and there would be no evidence to support the claim.
“We also had cyber insurance, but the insurance company said they would not cover the risk protection limits. I don’t understand why we had cyber insurance. We needed a lot of cash to build the system and compensate our business partners, so we were extremely stressed,” says President Tatsuzo.
The insurance claim certification process began in mid-December, three months after the incident. Ultimately, the entire amount was paid, but while the system was being restored, it was unclear what portion of the insurance money they could count on. The reason they quickly obtained a loan from a financial institution was to avoid worsening cash flow that could put them in a difficult situation.
In the end, Kantetsu suffered a total loss of ¥1.7 billion yen (US$11.1 million), including ¥700 million for system upgrades and ¥1 billion for compensation. Nevertheless, they were able to announce reforms internally in late October and externally on 1 November.
President Tatsuzo says of the experience, “No matter how much we defend, we cannot completely prevent (cyber attacks). It is important to prepare incident manuals and recovery plans in advance so that we can respond even if we are hit by a cyber attack.”
