Is ESG Data the Next Target for Ransomware Actors?

As a famous frog once said, it’s not easy being green. In late January, reports surfaced of a ransomware attack on the Sustainability Business division of Schneider Electric, raising the question: how valuable a target is corporate sustainability data? As organizations embark in earnest on environmental, social and governance (ESG) strategies, they may need to do more to keep this information locked down.

What Happened at Schneider Electric?

The Cactus ransomware group claimed to have 1.5TB of the company’s data, threatening to release it publicly if the French multinational didn’t pay up. A month later, it published 25MB of data to drive home the threat. It still isn’t known whether Schneider Electric has paid a ransom for the data, nor whether Cactus encrypted the information while also stealing it, which is its general modus operandi.

Schneider Electric has suffered a ransomware attack before; the Clop gang gained access to some of its data in May 2023 as part of the attack on Progress Software’s MOVEit file transfer service, which vacuumed up thousands of companies’ information.

This time, the attack focused on one specific division. The Sustainability Business division is an operation within Schneider Electric that focuses on a relatively new market: the collecting and reporting of sustainability data.

A Growing Need for ESG Data

Sustainability data represents the “E” in ESG, a growing movement to make companies more accountable for their effect on the planet and society. The sustainability side deals with metrics including consumption (of resources like energy and water), along with emissions (typically of greenhouse gases).

This data is useful to investors who are increasingly scoring companies on their ESG performance. Investment management company Capital Group found that nine out of 10 investment professionals globally consider ESG in their strategies, with 57% believing that it can uncover attractive investment opportunities. However, 54% of them say that this data is more difficult to get. The more of it investors have, the more comfortable with they feel putting money into these companies

.Other pressures are prompting companies to focus on sustainability reporting. In the EU, the Corporate Sustainability Reporting Directive (CSRD) will enforce the European Sustainability Reporting Standards (ESRS), applying more detailed sustainability reporting on EU companies or those that operate in the bloc.

To understand the value of the sustainability data supporting these initiatives, follow the money. The Big Four are actively pursuing data-driven sustainability business. Deloitte invested $1bn in its Sustainability and Climate Practice in April 2022, and offers a sustainability analytics service practice that helps clients monitor resource usage both internally and across their supply chains. EY, KPMG, and PwC all offer services to create a sustainability strategy and then integrate operations data to support it.

An Expanding Attack Surface

Collecting and reporting this data creates several risks for companies:

Data depth and breadth

Companies harvest a wide range of operating data from their own facilities, ranging from the power consumption of individual machines through to waste production, fuel quantities and fleet numbers.

Some, like PwC, advocate data lakes that will hold a mixture of operational, biodiversity and safety data. These will be married with other data lakes holding customer and market information, along with data from ERP systems, IoT sensors and even HR data. It envisages all this information flowing through sustainability reporting tools.

Data scope

The other threat is the scope of the data collected, which extends beyond an organization’s proprietary operations to their suppliers’ data. PwC’s model for sustainability data includes third-party information from others in the corporate supply chain.

The attack on Schneider Electric compromised its EcoStruxure Resource Advisor platform. It’s a cloud-based system that collects and analyzes data about facility operations and supply chains. This enables clients to monitor and forecast energy consumption, and generate emissions reports. Its promotional material proudly states that it not only sources its clients’ own data feeds, but also data from third-party providers.

Data centralisation

Companies like Schneider Electric chase profits from sustainability data services by taking the collation and analysis of this data off clients’ hands. This makes these sustainability data service providers an attractive target for cyber-criminals that want to harvest large volumes of this valuable client information. Schneider Electric’s sustainability unit numbered several high-value companies among its clients, including Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo and Walmart.

How to Stay Safe in Pursuit of Sustainability

It isn’t clear whether the attack on Schneider Electric was targeted or just a lucky accident for opportunistic thieves, but either way this sensitive data is clearly a valuable target. So what can companies do to protect themselves?

Assessing vendors for effective security practices is key, including evaluating their cybersecurity controls certifications. However, these certifications do not guarantee 100% security. Other measures can reduce the probability of data theft.

Maintaining a strong data inventory is important – keeping track of any data that is shared, and clearly documenting the types of sensitive information a third-party service provider can access. Establishing protocols to manage access risk, both by third-party service providers and internally, is also good security practice.

Whether dealing with a third-party service provider or collating and keeping all of the data internally, protection against ransomware is crucial. This means putting controls in place, such as basic endpoint detection and prevention through to managed detection and response (MDR). Basic cyber-hygiene, including timely security updates and end-user training, are also useful lines of defense.

ESG data is becoming an increasingly appealing asset for online crooks, whether they catch it indiscriminately in their nets or search it out on purpose. Effective cybersecurity measures that are well documented will go a long way toward protecting this new jewel in the crown.