Brokers continuing association with us, closely reviewing their security levels: Comtel after ransomware attack

According to Comtel's team, none of the confidential details of clients have been accessed.

On December 9, around 16 stock brokerages found that they were cut off from their servers placed at a data centre managed by Comtel.

It was a ransomware attack and there were fears that clients may not be able to place their orders and that clients' confidential details may have been compromised.

Also read: MC exclusive: Ransomware attack targets data centre that services around 16 brokers

Comtel-managed data centres house stock brokers' servers and other networking equipment. It provides various services, like rack space, power and bandwidth, and also rents out hardware. The services are, usually, used by brokerages to better manage costs. Brokerages can either maintain their own data centres or use shared services as provided by Comtel.

The data centre that affected this set of brokerages was located in Andheri, Mumbai.

In a conversation with Moneycontrol, Comtel's team answered questions on how the attack unfolded, how it was managed and how the team is working to prevent further attacks.

Present for the discussion were the company's directors JP Gupta and PK Gupta.

How did the ransomware attack get reported?

In the early hours of December 9, around 7 am, Comtel's team started getting calls from brokerages that a message was flashing on their systems that they have been hacked, their data has been encrypted and that they need to reach out to a third-party entity to resolve this. None of the brokerages reached out or engaged with the third-party attacker, but called the Comtel team to resolve the issue.

When brokerage systems are down for a particular period of time, the regulatory protocol demands that the brokerages inform the exchanges immediately. When the number of brokerages making such reports to the exchanges went steadily up, there was a certain amount of panic.

How did it affect the brokers?

They were not able to access their servers which were located at the data centre managed by Comtel. There were fears that client orders could not be processed and the Comtel team accepts that there may have been lost trading hours due to this.

How many brokers were affected?

Sixteen out of nearly 250 broker-clients. There may have been more brokerages, though much fewer in number, affected in data centres managed by other entities.

Did the vulnerability originate in the sister concern Symphony's OMS application?

The investigation has not so far revealed that the attack originated in Symphony's client-facing, OMS (order management system) application. Also, not all users of this application have been impacted. We are investigating this further.

As far as the security of broker-clients are concerned, clients decide on the cybersecurity setup such as the levels of their firewalls, which vendors to use and so on, and control the access to their servers.

When were the systems restored?

We quickly isolated the impacted systems. The services were restored by 11 am, and, by the end of the day, most of the servers were running, except two or three brokers', who had their own hardware in the data centre (Comtel manages virtual machines for many of these brokers and provides more limited services to brokers who have their own physical servers in the centre.) After the attack, brokers who had subscribed to VMs were quickly transferred to new VMs. But the brokers who had their physical servers had to arrange their alternative servers, format and clean the machines before they could be reintegrated with the data centre.

Have client details been compromised?

None of the confidential details of clients have been accessed. All the attack did was to cut off the brokerages' access to their database, which included information about trading done (dealer- wise, client-wise, etc.) the previous day.

The damage was limited to the loss in trading hours and the opportunity cost. But since the attack happened early in the morning, the impact wasn't too high. If it had happened during the day, brokerages may have had trouble managing positions they had already created.
All the brokerages, including the ones affected, continue to be associated with Comtel.

What is being done to avert another such attack?

We have hired a certified systems auditor and an independent expert to check what went wrong and what are the gaps that may have led to the attack. The report will be sent out to all the brokerages.