The Heat Group lost $2 million after getting hacked.

Founder and Managing Director Gillian Franklin revealed how her business was hacked in 2019.

The Melbourne-based wholesale cosmetics company has around 40 brands across beauty, healthy living and confectionery. It has been running for 20 years and sells products to more than 7,000 retailers.

The breach happened when Franklin was in London with one of her team members, preparing to do a presentation on one of its brands to retailer Tesco in the UK.

When the colleague logged on to do some work to prepare for the presentation, she went into the company’s shared folder and found that it was empty.

As this was the first time she had done work from London, she contacted the company’s IT manager in Melbourne who discovered the company had been hacked.

While the company’s emails were still online, Franklin said the rest of the business “was gone”.

“All our folders, all our data,” she said. “I said to someone, imagine your house is robbed with everything in it. Well, it’s the same thing except it’s your intellectual property. So, about half the folders were removed and about the other half we could see were encrypted, so we couldn’t [open them].”

The company also received an online ransom note asking for $40,000 in bitcoin.


Gillian Franklin's company breach felt like "a punch in the face". Image: SBS Insights

How the business responded

The whole IT team went about shutting down all servers, setting up a new firewall, resetting everyone’s passwords and trying to restore the business operations through backups.

“Because the hacker had gone into the backups as well, they’d made it very difficult,” Franklin said.

The company tried to negotiate with the hacker but they didn’t get a resolution. Heat Group wanted proof that they could decrypt one of the files, which they did.

But when Heat Group asked them to restore the files they removed, the hackers disappeared.

The IT department spent days getting the business back up and running.

“For the next three or four days the IT team worked 20 hours a day non-stop just to try and get us up and trading because we literally had no business,” Franklin said. “We couldn’t do anything – we couldn’t receive orders, process orders, pay bills.”

Not to mention payroll was looming in the coming week.

“It was just a very stressful time for everybody and a very unpleasant experience,” Franklin added. “It’s like somebody walking up to you and just punched you in the face out of the blue and you get a shock and it hurts. And then you think, ‘Oh my god, what happened? And how do I now defend myself?”

Franklin said there were two plans the company had to formulate and execute concurrently.

“One was the tech plan, which was about protecting the business, trying to restore as much as we could [and] focusing on our priorities – what did we need to recover first so that we could start trading,” she said.

“And then the second one was the whole communication plan because you need to tell everybody what’s going on. Customers are waiting for orders, suppliers may be waiting for payments.”

Franklin estimates that the whole situation cost the business around $2 million, as it couldn’t trade for about five days. The most expensive loss it incurred was its creative files which include photography and brand IP.

“The business wasn’t fully recovered,” she said. “It took a month at least before we started recovering files and people could start doing their work.”

Discovering who was behind the hack

When the hack happened, the business reported the issue to the Department of Defence’s cybersecurity unit to ask them if they could help. However, Gillian said they could not assist because “they said they never had any resources at the time.”

The Heat Group’s IT team was able to identify that the hacker came from Europe after tracing it. “We knew it was from Europe because we had a 24-hour delay to every piece of communication,” Gillian said. It received more clarification after being contacted by the UK’s cybersecurity centre.

“About four or five weeks after we’d been hacked, we received a letter from the United Kingdom cybersecurity centre,” she added.

“They’d written to the Australian government and they’d copied us to say that they knew this hacker – they called him an ‘actor’ – and they’d been monitoring him for a long time.

“They could see that he’d hacked 15 Australian companies, one of which was us.”

It was the UK team who told Franklin’s company that the hacker was from Russia. “They could see that this hacker had sold access to our system on the dark web for US$3,500 a pop.”

According to Franklin, the UK team encouraged the Australian government to support her company and also provided pages of technical advice on things to do, both for restoration and future protection. The Australian Government then got involved and also provided advice.

Advice to other businesses

Franklin decided to speak out because she doesn’t want other businesses to go through what she experienced. She appeared on SBS’s “Insight” on Tuesday night on the episode, “Being Hacked”.

“A lot of people cautioned me against it because they said the hackers don’t like it – they come after you to prove that they can still get in,” she said.

After having her business hacked, Franklin warned other businesses to be vigilant.

“Any business leader today and boards need to accept the fact that if a hacker wants to get in, they will,” she said, mentioning instances such as the Australian government and Toyota getting hacked.

She provided three pieces of advice for businesses based on her experience.

“First of all, they need to assume that it can happen and they need to have an action plan ready because the faster you can get your recovery up, you’re going to minimise your damage,” she said. Franklin also advised having all your processes and protocols documented in a safe place.

The second tip is to assume hackers are trying to get in all the time so make sure you have strong passwords and upgrade your software whenever you can.

“Constantly challenge and test your team, create your own phishing emails and send it to them as a dummy and see if they respond so there’s an ongoing, never-ending education process about how to protect the business,” Franklin said.

Thirdly, Franklin suggests making sure you have cyber insurance.

“Most companies have started with business disruption insurance but what they may not realise is that the insurers now have carved out that if you’re disrupted through a cyberattack, you’re not covered. You have to have separate insurance for a cyber attack.”

This article originally appeared on Business Insider and is reproduced here with permission.