The company could be liable for damages if client information is found to be compromised, Wipro previously said in regulatory filings.
Early on Tuesday morning, cyber security investigation website KrebsOnSecurity reported that hackers had compromised Wipro’s IT systems and launched attacks on the firm’s clients.
Refuting the website’s claim that Wipro was in the process of building a “new private email network” because the intruders were believed to have compromised its corporate email system, chief executive Abidali Neemuchwala told reporters that “such attacks are common in the industry” and that the KrebsOnSecurity blog had conflated various events.
Advanced Phishing Campaign: Wipro
“We think we have a pretty good email system. You can reach us on our emails,” Neemuchwala told ET.
Wipro called the attack that happened last week on its systems a ‘zero-day’ attack, a term that is meant to describe an attack on the same day that a software vulnerability is discovered. Zero-day vulnerabilities are greatly prized by hackers because there are no patches — a solution to an issue in a software’s security — available to fix the breach.
The cyber security website had reported that Wipro was ‘dealing with a multi-month intrusion from an assumed state-sponsored attacker’.
It also said that Wipro’s systems were being used to attack at least a dozen of its clients. “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact,” Wipro said in a statement to ET.
The company said it had informed a ‘handful’ of customers in line with its protocol, though costs of the attack were not disclosed. In its annual filing last June with the US Securities and Exchange Commission, Wipro had said it was liable in case its network was breached.
In reply to queries on whether Wipro will be required to reimburse clients on the costs involved in the security breach and its investigation, Neemuchwala said the company “will be compliant with customer contracts.”
Later, as Wipro executives addressed analysts on a post-earnings conference call, Brian Krebs, who runs KrebsOnSecurity, joined the call and asked them to spell out exactly what the inaccuracies in the report were.
To which, Wipro COO Bhanumurthy BM responded by saying he would be willing to talk to the researcher on a ‘separate call.’ Responding to a tweet from ET on the developments, Krebs wrote, “They’re (Wipro executives) happy to tell investors my story is full of holes but when I ask them to their face to say where the piece was in error, they dodge the question. Definitely the behaviour of a company with nothing to hide.”
Wipro said it investigates over 4.5 million security alerts a year and puts employees through training courses. “The company has a training programme where phishing mails are generated internally and sent to employees. If an employee clicks on it, they are sent to training,” said Saurabh Govil, the head of human resources at Wipro.
Cyber security experts are of the view that IT companies are ripe targets for cyberattacks as hackers can then breach systems of multiple clients.
“A phishing attack, where an employee is tricked into opening a mail, is particularly tough to combat because this is an industry of so many young people,” said a cyber security consultant.
In the list of risk factors in its annual report for last year, Wipro had said that “if any person, including any of our employees or former employees, penetrates our network security or misappropriates sensitive data, we could be subject to significant liability from our clients or from our clients’ customers for breaching contractual confidentiality provisions or privacy laws.”
“IT companies generally put in place strong systems for this. Typically, they also have insurance,” the person added.
IT and business process management companies have flagged risks related to hackers. Last April, BPM company 7.ai said it discovered a hack that affected its clients such as Sears and Delta Airlines.
The cyber-crime police station in Bengaluru said they had not received any complaint about an attack from Wipro, until Tuesday evening. “We continue to monitor our enterprise and infrastructure at a heightened level of alertness,” the Wipro statement said.
Wipro stock closed 2.45% down at ₹281.1 on the BSE on Tuesday. The Sensex closed 0.95% up at 39275.64 points.