A ransomware attack and resulting outages at direct debit collection company London & Zurich has forced at least one customer to take out a short-term loan as six-figure backlogs continue to cause cash flow mayhem.

London & Zurich's outage began on November 10 and was confirmed as a ransomware attack four days later on the company's website. The Register is the first to report on it, tipped off by sources impacted by the turn of events.

Since then, we're told customers have been unable to process the vast majority of their direct debit payments, with one managed service provider accruing a backlog of more than $124,000.

We know three other companies directly who all have the same issue as well and they've gone 'we've been left in the dark.' Nobody knows anything. One of those is in a very bad position - they've got no idea how they're going to make payroll

The UK-based MSP, which spoke to The Register, said on Wednesday it was able to process its first payment since the attack started, but said it was confused over when service would return to normal.

A particular pain point has been the communication from London & Zurich, which sources claim has communicated with customers infrequently and sometimes unclearly. 

For example, the company's status page this week indicated that its direct debit portal should be up and running again by November 23, but emails seen by The Register have left customers confused after being told they won't be able to make collections until November 28.

According to Google reviews left in the last week, customers were unable to reach any support services via the company's phone lines, with attempts often ringing out - an experience The Register also had when trying to make contact with London & Zurich.

The MSP said the duration of the outage is what has hit it the hardest. Usually a cash-rich operation, it recently made a large PAYE payment as well as putting a large deposit down on a new office building, making its inability to collect payments especially disruptive at this time.

"Thankfully, we should be alright," the MSP's director told The Register this week. "We've been looking at leveraging director money, we've been looking at leveraging money from the bank… so, we're in a lucky position that we can go to our lenders and [say] 'we need this as an interim measure.'

"Obviously, for a smaller company or for a company that's already debt-leveraged, this could have been hugely problematic, enough to put smaller companies under. The feedback from [London & Zurich] and the information on any estimated times for systems to go live is really horrendous.

"We've just been left entirely in the dark. We know three other companies directly who all have the same issue as well... Nobody knows anything. One of those is in a very bad position - they've got no idea how they're going to make payroll."

London & Zurich declined to answer The Register's questions about whether any data was compromised during the ransomware attack, how the attackers were able to breach its systems, what group was behind it, or when it started.

A spokesperson said: "L&Z recently suffered a ransomware incident. Upon learning about the incident, we immediately initiated an investigation with the assistance of third-party cybersecurity experts and took steps to contain the incident, including identifying and terminating access to the impacted servers.

"Only one environment was impacted by the incident and this has been rebuilt in a new, clean environment. This process is progressing at pace with our API service now fully functional and final testing taking place on two final service areas. We expect this restoration to finalize by the end of the week.

"We're grateful for the patience that our customers have shown us at this time and would ask that they continue to monitor our status update page, which is updated daily, for further information."

The spokesperson also said in an email that the company's focus is recovery and supporting customers, and the investigation is still ongoing.

As of November 22, the MSP expressed frustration over the lack of firm commitments regarding the return to service. London & Zurich said it aims to be "back to normal by the end of this week" but couldn't commit to dates.

"If all systems are back online by Thursday 23rd, you will be able to create collections for the 28th November," the company said in an email to customers.

Based in Solihull, London & Zurich is one of the largest transactors of direct debits for businesses in the UK, serving small and large businesses including the Eden Project and ICPA.

It offers businesses an alternative to collecting direct debits through their banks, which require large indemnity payments. Companies like London & Zurich essentially act as middlemen, collecting direct debits from customers on behalf of businesses, rather than going directly from bank to bank.

How the incident unfolded

As of November 10 at 0919 local time, London & Zurich customers were experiencing "access issues" - terminology that was changed to "major service outage" less than two hours later. Customers at the time were warned that payment collections may be down until November 13.

The status page timeline was updated once a day over the next two days to say remediation work was continuing. There was no new information communicated on November 13, the planned return-to-service date, but a more substantial update came on the 14th when the company posted links to two separate web pages: A general information page and a security incident disclosure.

It told customers that the incident was ransomware in nature, that regulators had been informed, and third-party incident responders were working on the case.

The case was confirmed as "contained" and the company started to rebuild the affected servers in "a new, clean environment as quickly and securely as possible," although it was taking longer than previously expected.

The incident impacted payment schedules dating back to the evening of November 8. Any schedule - a process that leads to a payment collection - made after 18:30 on that day was not backed up and would need resubmitting, the company said.

On November 19 London & Zurich said direct debits for the period November 9-12 had been sent. Taking a few days to clear, this aligns with the reporting from the MSP only receiving their first payment on November 22.

Scheduled payments for the period between November 14-22 are scheduled for same-day payment this Friday.

The company rotated customer passwords which were sent out on November 21 in preparation for the customer portal to go back online on November 23. The online signup portal for new customers is also due to return by the end of the week. Any registrations made after 1830 UK time on November 8 will need to be resubmitted. ®

https://www.theregister.com//2023/11/23/ransomware_attack_at_london_zurich/