Bekker's Blog

Blog archive

How Not To Handle a Security Breach as an MSP

The ongoing security and public relations mess at Wipro, a massive IT outsourcing company based in India with many major U.S. customers, provides an object lesson in how not to handle a security incident as a managed service provider (MSP).

The story was broken this week by Brian Krebs at his respected security blog Krebs on Security. Official information from Wipro has been slow to come out and inconsistent, which is part of the problem.

Krebs approached Wipro earlier this month after hearing about a breach from several sources. According to his latest reporting, a first Wipro employee fell victim to a phishing attack on March 11, with another 22 employees falling for a second round of phishing attacks on March 16 to 19. As of Wednesday, the attack was still ongoing with more than 100 Wipro endpoints "seeded with" a ConnectWise product for remote control of client systems, as Krebs phrased it. Using the compromised Wipro systems as a jumping-off point, attacks have been launched against at least 12 clients, Krebs reported.

One Wipro customer source that Krebs spoke to worked at a large retailer and said the attackers used the access for gift card fraud at the retailer's stores.

Yet Wipro at first stonewalled Krebs' requests for comment, then released a non-informative statement before eventually acknowledging the breach to an Indian newspaper after Krebs published his first blog. Additionally, the company contested Krebs' timeline without providing one of its own, and appears to be passing off the forensic work of its customers as its own.

Krebs summarized Wipro's ham-handed public response this way:

  • Ignore reporter's questions for days and then pick nits in his story during a public investor conference call.
  • Question the stated timing of breach, but refuse to provide an alternative timeline.
  • Downplay the severity of the incident and characterize it as handled, even when they've only just hired an outside forensics firm.
  • Say the intruders deployed a "zero-day attack," and then refuse to discuss details of said zero-day.
  • Claim the [indicators of compromise] you're sharing with affected clients were discovered by you when they weren't.

The PR and communication lessons are important, but the substantive security component is even bigger. A major aspect of the market value of an MSP is the expectation that the MSP will be the strongest link in a customer's security chain and be more aware of security all along the chain than the customer could be. For an MSP to be the weakest link, and have to be alerted to its own security problems by customers, is pretty tough to recover from.

Posted by Scott Bekker on April 18, 2019


Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.