It may just be a recurring nightmare for me, but one employee’s weak password has led to the close of an entire company. According to the BBC, that’s all it took to take down the 158-year long running transportation firm in the United Kingdom when the password was merely guessed, granting criminals access to the company’s systems back in 2023.
It seems the unnamed employee chose the password equivalent of a wet paper bag for a password which has now left around 700 people without jobs. That’s the current story around the close of Knights of Old, a Northamptonshire transport company owned by KNP.
Reports tell that after accessing the systems hackers then encrypted and locked integral operational data and systems, and then demanded a ransom for its return. The attacks are likely using the Akira ransomware as a service group. All in all, it’s a pretty standard affair from a ransomware attack. Even the estimated up to £5 million demanded fee is in line with attacks of this nature.
“If you’re reading this it means the internal infrastructure of your company is fully or partially dead… Let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue,” reads the ransom note, according to the BBC report.
Rather than defaulting to a backup or even ponying up the demanded ransom, KNP could not withstand the attack and closed. Unsurprisingly the government is against paying off ransoms, but it’s probably better than everyone losing their job. It’s baffling to me that a company this large didn’t have a contingency plan for a cyberattack. Especially in a country that is seeing a huge rise in these kinds of attacks.
“If it continues, I predict it’s going to be the worst year on record for ransomware attacks in the UK.” Suzanne Grimmer of the National Crime Agency told the BBC.
Tom’s Hardware also cites a recently released BBC Panorama documentary that goes further into the case. In it, they talk to Solace Global, the insurance firm KNP was covered by for cyberattacks. Solace’s cybercrisis team established that all of the company’s backups and server recovery files were deleted, and all other data had been encrypted by the attackers.
The team called it a “worst-case scenario” with all endpoints compromised and no backups the only option was to pay. Unfortunately the documentary also claimed the company couldn’t afford to pay the ransom, making me wonder what the point of insurance was in the first place.
So, it appears a naive employee accidentally made the most guessable password ever at a company with the worst cyber hygiene and everyone involved got very unlucky. That suggests a significant number of weak links in their defence plan.
One random employee password should never be able to be such a weak link in any chain. Generally speaking, employees shouldn’t have the permissions or the access to get anywhere near operational data, let alone things like server backups. Then there’s the offline backups this company should have been running too.
All reports state KNP was up to code on international data security standards, so let’s take a look at those. Even if all the guidelines around passwords, encryption, and employee access were completely ignored this should have all been salvageable. Since at least 2013, international guidelines have mandated an isolated backup to avoid exactly these kinds of situations.
Shared passwords or admin rights where they shouldn’t be could lead to this exact situation where the backups are compromised and then the primary copy is ruined on purpose by the attackers.
James Clifford, Pro IT Consulting
“Store backups in an appropriate location that is environmentally protected, physically distinct from the source data in order to prevent total data loss, and securely accessed for maintenance purposes” reads the ISO 27002 Control 8.13 Information Backup document.
There’s so much to this story that I reached out to a local cybersecurity expert James Clifford who’s also the director of his own company Pro IT Consulting, to ask some questions. I wanted to know how likely it was that a company this large could be taken out by a single cyber attack, especially given everything appeared to be up to code. The answer seems to be—more likely than you think.
“A 700 vehicle transport company probably only had 20-50 admin staff with limited technology exposure. Shared passwords or admin rights where they shouldn’t be could lead to this exact situation where the backups are compromised and then the primary copy is ruined on purpose by the attackers.” explains Clifford “At the very least it should have taken MFA bypass and work by the attacker to get the admin rights needed to delete backups.”
But even if a shared password wasn’t the culprit, even a previous login from an admin could have been enough to take down KNP. “If it was a Windows network then just having an admin previously logged in to a machine with admin rights can be enough to have those admin rights stolen, which means losing a password becomes only a step away from giving up admin rights to everything.”
This brought me to the backups that should have been in place, including those completely isolated from the system. Clifford explained that backups often don’t go the way we hope in the security space. They’re easy to corrupt, aren’t often tested enough, and are generally not done properly due to misinterpretations of the rules. But, as it turns out, criminals are also just really clever.
“Should they(KNP) have been more careful, yes.” Clifford said, agreeing with the importance of good backuping procedures and security hygiene, before adding “But without the details of what the attackers did it is hard to be too critical. I’ve heard cases where the attackers sucked in staff with potential job offers and got them to run code as part of a “test” and then the attackers had all they needed to do a lot of damage.”
And even isolated backups aren’t enough in the case of really savvy hackers as Clifford explains, “If they (KNP) had isolated backups that might have got them back, but you have to connect them to get new backups which is when attackers can ruin them. So you get a backup that isn’t useful if they are stealthy during the setup phase of the attack.
“Then when the attackers are sure they have ruined your recovery capability, they kick off the ransomware. Then you are a bit stuffed because your isolated copies aren’t helpful and you probably haven’t tested them in a year or more because it is hard and expensive.”
Whether it’s a misunderstanding about security procedures, really craft criminals, or actual incompetence is unclear, but Clifford didn’t seem too surprised by all this. “Lots of mainstream stuff misses some of the basics.” he said adding “The story suggests a lack of MFA which refutes the ‘we take security seriously’ narrative that is so common”.
The other interesting thing to note about the UK is they are still working to tighten up their cyber laws. There remain gaps in practices and regulation that allow exploits to continue to happen.
James Babbage, Director General (Threats) at the NCA, told the BBC that these crimes have the hallmarks of the next generation of hackers, who have started “getting into cybercrime probably through gaming” adding “They’re recognising that their sort of skills can be used to con help desks and the like into getting them access into companies.”
It’s a good time to remind folks that gaming can lead to the inverse of hacking skills. I would have basically no clue how to hack a system, but I’ve lost 100s of hours in save files enough times now, so my backup skills are fairly solid. Who knows, if a few more CEOs and security professionals knew the pain of losing their favourite Skyrim save, maybe this never would have happened.
Best PC gaming kit 2025