Cyberattacks can cost you more than just money. But also, they teach you a great lesson. The story of Xander Koppelmans.
It was a regular Thursday morning, five years ago. Goes, a small city in the South Western Netherlands, was just waking up to another sunny workday. So was Xander Koppelmans, the owner of a small but successful communication company PHGR, one among many working for the government and international clients. As usual, Koppelmans had several meetings to attend that day – but at 10:30, his plans were wrecked. He was sitting in a meeting room, when one of his colleagues knocked on the glass wall: “We’re being hacked. All the servers are empty, all the files are gone. What are we gonna do now?”
“I believed there was nothing to worry about,” reflected Koppelmans five years later. “We had three backup servers, so I was convinced our projects were safe. We just unplugged all our devices and went home since we couldn’t work anymore that day. I thought we would lose just a single day recovering the files. And that would be it.” Soon, it turned out it wouldn’t.
The backup servers were empty too. And so were the workstations, SD cards and external hard drives. “That was when things got serious. But still, there was one thing that could save us: data recovery,” explains Koppelmans. He ordered a recovery service and was told he could get 80% of his data back.
Although he knew this damage would already be costly, the news gave him hope – until he learned it was 80% of each file. “There were stripes over every single photo, video and advertisement. All of the recovered data was corrupted. We just got a pile of millions and millions of damaged files. Then I knew this was a total loss and we were in trouble,” says Koppelmans.
Even if you think you’re safe, you might be sorry
Xander Koppelmans founded his company in 1991, with just two people in the team. “I wanted to turn my hobby into my profession and do the things I love. I was living my dream,” says the entrepreneur.
And the business was growing successfully. “We didn’t even have to advertise our work. All we did was work hard and build great relationships with our clients. When the attack came, we had ninety projects running, around four hundred active client accounts, eight employees and thirty freelancers.”
Unlike many other small businesses, Koppelmans had always been aware of cybersecurity risks and had invested in data security as soon as the first viruses and spams came. “I learned that our clients were not only buying pictures from us, but also security. You might have the best photographer, but if you can’t trust that he’ll deliver his work, you can’t work with him. That is why we hired a professional IT administrator with strong security skills and put in place several in-house backup systems – since there was only a slow IDSN connection which didn’t allow us to make remote backups – and a firewall.”
But still, Koppelmans did not expect anyone to attack the agency. “Like many other small companies, we thought: why would someone do that? We make pictures of babies, buildings and food. That’s boring stuff.” And yet, they were hacked. It came down to weak passwords.
“We used passwords with around ten characters, including numbers and capital letters. Well, now I know it takes around 15 minutes for a hacker to breach such passwords,” elaborates Koppelmans.
The consequences you cannot express in numbers
What happened in April 2015 was a brute force attack. “It was like a Molotov cocktail thrown through our window. The hacker had been trying millions of combinations of usernames and password characters until he got in,” explains Koppelmans. “In the server log files, we saw some other hackers had been knocking on our door too, but this one eventually managed.”
The attack caused instant damage to the tune of 250 thousand euros – this was the approximate value of the destroyed projects. Right after the attack, Koppelmans went to the police. “The first thing they asked was if I had some description or footage of the criminal,” says Koppelmans amusedly. That was the first sign the investigation wouldn’t be successful.
Two weeks later, the case was finally handed over to the cybercrime department. “They said the attack probably came from abroad and that due to lack of powers, finance and capacities, they wouldn’t be able to track anyone down. I was told not to keep my hopes up since I’d probably be just another entry in the statistics.”
Instead of giving up immediately, Koppelmans hired a hacker, who found out that the attack probably came from China. The motivation and purpose? Unknown. This was a very vague result – but there was nothing else Koppelmans could do.
Yet, some of the clients had an understanding for what happened. All the same, the agency had to deliver. “The best solution was to do it all again. In the next four months, we spent days and nights retaking the photos and reshooting the videos. Anyway, there were some projects we could not fix, since, for example, they included a sequence of photos of a bridge under construction– at that time, and by then the construction was already finished.” These types of clients got their money back. And since the company had no capacity for new clients and projects, the financial loss was getting bigger and bigger. Koppelmans calculated the damage to be around 3.5 million euros today.
But back in 2015, Koppelmans lost more than just the money. “The team lost its magic, its confidence and started to have anxieties. Some people left. Before the attack, we would play music, have an office dog and an office bird and laugh together. We were a family. That was all gone. We started to feel stressed out and overwhelmed with work. It was not the money so much, but this secondary cost, that is what brought me down. Eventually, I suffered major burnout and was unable to work for another three months.”
After that, Koppelmans tried to save the company for another two years. “In February 2017, my accountant advised me to file for bankruptcy. I knew he was right: our power to make profit was gone.”
Chasing the dream again
Although it was a reasonable thing to do, closing down the business wasn’t easy. “Imagine you’ve been living your dream for 26 years, and all of the sudden, the dream’s over. You can’t comprehend that. I was always good with people and did my best, but all at once, it was useless and wasted… for nothing. I failed due to something I wasn’t even aware of. My mind was filled with the darkest thoughts at that time,” Koppelmans remembers. Eventually, it was the clients who pulled him through. “They told me not to give up and promised to buy my services if I keep up the good work.”
That same year, Xander Koppelmans started a new communications agency, taking something positive out of the tragedy. He learned a lot and changed in many ways. He now uses passwords of at least 30 characters and a password manager, doesn’t click on any suspicious online ads, updates the systems regularly, has a fiber-optic connection, and uses offline as well as cloud backups. “I’ve arranged everything so that when an attack comes, the data survives.”
But above all, he started from zero and got back to the roots of his work. “Before the attack, I dealt with a lot of paperwork, I didn’t have much time for the creative part of my job. I’ve reorganised my preferences, so that I can better concentrate on what I actually love and spend more time with my children too. I can choose what I want to do. From this perspective, the quality of my life is so much better,” explains the businessman.
When asked how he’s come to peace with the fact that the cybercriminal will probably never be caught, Xander Koppelmans replies: “When you think about it day and night, it gives you headaches. I gave it a rest. We should all know that cybercrime is a giant industry and as long as you’re online, you’re never 100% safe. There is only one way of preventing hackers from destroying your business. To be well prepared, when they hit you.”