Ace Hardware Still Reeling From Weeklong Cyberattack

Ace Hardware has yet to recover many of its IT systems five days into a cyberattack that affected 196 servers and more than 1,000 network devices.

Ace President and CEO John Venhuizen sent a letter to franchise owners on Monday morning, which was shared by a third-party contractor on Reddit. In it, Venhuizen explained that “many of our key operating systems, including ACENET, our Warehouse Management Systems, the Ace Retailer Mobile Assistant (ARMA), Hot Sheets, Invoices, Ace Rewards and the Care Center’s phone system have been interrupted or suspended. More specifically, the impact of this incident is resulting in disruptions to your shipments.”

In a follow-up FAQ, the CEO urged stores to stay open, as point-of-sale (POS) systems were unaffected.

According to a notice sent to store owners early Friday morning obtained by Bleeping Computer, Ace operates around 1,400 servers and 3,500 networked devices, of which nearly 200 servers and just over 1,000 other devices were impacted. Some 51% of those affected servers have since been restored and are being certified by Ace’s IT department.

In some ways, though, the story has only gotten worse since Monday. Many of the affected systems remain underwater and, in the leadup to the holiday season, customers remain unable to place online orders. Plus, there have been multiple incidents of store owners experiencing follow-on phishing attacks.

“While the impact to business operations and financial losses may be the most tangible examples of the damage that these attacks cause, the reputational impacts can be equally devastating,” Darren Guccione, CEO and co-founder at Keeper Security, points out. “The ripple effect from the damage can be felt for months and even years after the attack.”

Downstream Phishing Against Branches

A cautionary notice reportedly warned retailers of two different scams attackers are perpetrating, possibly with the information gathered from their initial breach.

“Specifically, one involves a criminal sending a spoof email asking the retailer to send electronic payments meant for Ace Hardware Corporation to an alternate bank while we work to restore our systems. The email looks legitimate and appears to be coming from someone in the Ace Finance Department,” the letter explained.

“The second instance,” it added, “involves a cyber criminal calling an Ace store posing as an Epicor employee asking for permission to gain access to the stores [sic] computer system through passwords, password resets and other remote means.” Epicor Software Corporation is a Texas-based business software company focused on retail, manufacturing, and distribution — and presumably, an Ace contractor.

“Breaches like this must serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA, and use strong and unique passwords,” says Keeper’s Guccione. In addition, employees must be trained to identify suspicious phishing emails or smishing text messages.

“Users are the last line of defense, and organizations must consistently train their employees to recognize the latest attack vectors,” he says.