Cymraeg

Cyber attack: how it put me out of business

Lee Moore is a businesswoman and writer who experienced a prolonged and traumatic cyber attack by a supplier between August 2013 and March 2014. It happened because she did not understand the cyber threats to her business nor have a cybersecurity plan in place. 

I sowed the seeds of a 7 month, cyber-attack against me and my business two years before it happened. When I set up the company, I was unaware of the cyber threats to my business and their devastating impact upon my work, income, reputation and well-being. I did not have cyber liability insurance. Cyber-security was not in my business plan.

Impatience, ignorance, disinterest in matters IT, plus assumptions that firewalls, anti-virus and a couple of variations of the same, unchanging password on my domain registry, email and social media accounts were sufficient to keep my “computer” permanently protected and secure, rendered me vulnerable.

The cyber-attack was conducted by my former web-developer. The person, most small businesses trust. I chose him on a colleague’s recommendation, whose new website I liked.

I engaged him to design and host my personal and corporate websites and emails.  He created my Twitter and Facebook accounts. At the outset, I naively told him that I was not “IT Savvy.”  He professed a desire to help. Relieved to hand over matters IT, I let myself be groomed perfectly.  He played the long game.   

I followed his instructions to never switch off my computer and wireless router, not realising that in doing so, it retained a constant IP address, which he harvested and used for the attack.

He had access to my domain registry, email and social media accounts because he set them up. I never changed my passwords and usernames after he had used them.

I did not maintain professional boundaries so the relationship became personal.  We used first names. He gave me personal information, I responded with mine.  After I told him about the terminal illness then death of my husband, he struck.

He said my website was vulnerable to hacking and that I urgently needed a new website as the current one was out of date. I did not understand that this was because of the development environment he had used. He said his other client’s websites would be damaged if mine was compromised. He offered a discounted price of £1250.   I consented. Grief and fatigue overrode a gut feeling to take my custom elsewhere.

Within days of full payment and the new site going live, I received a demand for 5 days unspecified and unauthorised, extra work, plus my first notice of a 25% increase in charges. On disputing these charges,” I received an email threat to “pay or test me, if you will.”    I asked Trading Standards to intervene. Their intervention was met with a payment demand for a further 6 days’ unauthorised work on the new site, in addition to the extra 5 days.  It was accompanied by another threat, “tell Lee to pay or test the servers if she will.”   The effect of which would have been to delete my new website, emails and work from his servers.

Before I could respond and despite having paid in advance for services, he abused my trust and took total control of my personal and corporate emails, websites, domain registry, Twitter, Facebook and Linked In accounts.   I could not trade.  He held all my business and personal contacts details.  The realisation that he could email friends and clients and post on my social media accounts in my name, appalled me.  Trading Standards withdrew stating this was a police matter. 

I purchased a new company and domain names to continue trading. He found them and my new email address within 48 hours. He used nine different email addresses to harass and bully me.  He posted a tweet to me, stating “this is what happens to people who do not pay their bills.”

Using my personal and corporate web domains he created webpages and published them on the worldwide web.   He falsely stated to potentially 1.6 billion people, that me plus my companies new and old, owed him money. He libelled me by stating that I was an active and persistent debtor plus a high risk person to do business with.  He inserted his business logo between images of me on Google.  Any visitor clicking on his logo was taken to a defamatory web page about me and my businesses.  He threatened to damage my credit rating. This continued on a daily basis for 7 months.

My company offered to pay disputed monies into court and invited him to sue me and both companies.  To date, he has not done so.  He purchased a further domain using my brand and falsely registered it at my home address.  Using that domain, he then set up a further defamatory web page about me, my companies and my brand.

He, or an unknown third party who had illegally been given or obtained my password, accessed my Twitter account and posted offensive Tweets in my name.

The police withdrew stating this is purely civil matter. They maintain that no criminal offences have been committed.  Civil proceedings were prohibitively expensive. I was quoted £15k for one injunction!

Severe personal impact

The impact upon me was severe.  My sleep was disturbed, I lost my appetite. I lost weight. I lost any peace of mind.  I felt drained. I could not think clearly. I felt overwhelmed.  It was truly distressing to see my reputation and brand trashed daily. I felt bullied.

Friends and colleagues helped me recover my social media. An expert IT adviser found a Trojan on my PC.   He also managed to get the false information published about me and my business removed from all internet search engines. My relief was immense. Sleep returned. 

I can no longer use my brand. I had to withdraw the book that I had just published, with the brand name. It had attracted a 5* rating from its first reader in Canada. The attack has and continues to cost thousands of pounds. I was denied the ability to trade for well over 8 months.

I have had to change my name and the name of my new business. The book will need to be amended and re-published with a corresponding duplication of time, work and costs.

Fifteen months after the attack, I am about to recommence work and replication of costs and effort. Having a Cyber Security Strategy in place is top of my business plan.      

In partnership with