What Does The Ace Cyber Attack Mean For You?

November 22, 2023


From the desk of Andy Carlson, 17 year Ace store owner

Andy Carlson opened his original Ace Hardware store in 2006 after a twenty-year corporate career in technology.  Upon closing his store in September 2022, Andy joined forces with Paresh Rana to help expand DilSe.IT.  Andy has 17 years of Ace technology expertise including Epicor, Mango, Margin Master, PCI compliance, Benjamin Moore, the Ace Retailer app, Zebras and more.

At DilSe.IT, we take pride in creating innovative processes and technologies that add value for Ace Hardware store owners, managers, and associates.  We call our approach the AceTech OS.

We all experienced a great deal of worry, stress, and disbelief on Sunday, October 29th, 2023 as Ace Corporate’s computer systems shut down as the result of a cyber attack.

Thanks to some heroic efforts by Ace Corporate staff and outside experts, Ace’s systems are now back on-line.  So, is this all in the rearview mirror?  Can we go back about our daily lives?  The answer is “yes” and “no”…

Yes… You should get back to business providing Ace Helpful service to your customers!

No… You need to maintain a heightened degree of awareness, and you need to do some things differently from now on.

The Cyber Criminals Will Likely Attack Again

The nature of cyber crime is that hackers tend to use information they gain from one attack to mount additional attacks.  We don’t yet know what information was compromised as a result of the cyber attack on Ace Corporate.  However, we all need to raise our level of awareness.  According to Barracuda Networks, thirty-eight percent of organizations who fall victim to a ransomware attack experience one or more additional attacks.  During the midst of the Ace Corporate attack we received a note from Bill Guzik to be cautious about emails appearing to come from Ace’s Finance Department asking stores to change their electronic payment terms, and to be alert for calls from people claiming to be from Epicor and asking to access your store’s Eagle system. 

The criminals that attacked Ace may have gained access to store names, store numbers, owner names, or other information they can use to make subsequent attacks seem more credible.  One of the most common types of attacks cyber criminals make is called spoofing – this means they pretend to be somebody you know or trust to trick you into revealing sensitive information or allowing them access to your computer systems.  If a criminal contacts you and knows your store name, Ace store number, and the store owner’s name, they seem more credible and their “spoof” is more likely to succeed.

The best thing you can do is to assume EVERYTHING is fake.  I know this is a cynical way to think, but it can definitely keep you safer in the digital world.  In most cases, a criminal trying to spoof you will be pretending to be someone you know.  Here are some simple tips…

  • A person you know will likely already be in your contacts, or you will know how to find their legitimate contact information. Use the contact information you know to be valid to reach-out to them independently to verify that the request you received from them is real.
  • If you receive a call from someone claiming to be a vendor or service provider that you know (e.g. Epicor) jot down what they are asking for and then end the call. Call the party back using a number you know to be valid to ensure the request is legitimate.
  • Never trust links you receive in an email. If you are being asked to visit a Website, go to the site yourself by typing the URL into your browser or using the saved URL you have in your password manager to ensure you are visiting the legitimate site.
  • Just because an email looks like it is coming from someone you know, don’t assume it is. Check the full email address of the sender to make sure it matches what you have in your contacts.  In the picture above, if you right-click on my name you can see that this email definitely did not come from me!

In the event of a legitimate request, the person reaching-out to you is unlikely to be upset if you take these extra precautions to keep you and your company safe.

Training For Your Employees Will Help Protect Your Store

Your employees are your first and last line of defense against cyber attacks.  The recent attack that shut down MGM casinos started with one low-level employee unknowingly letting a teenage attacker access critical internal systems.  If your employees are aware of the types of attacks and the methods hackers use, they are much less likely to fall victim to an attack.  Along with this, you should implement cyber security policies and procedures to protect your company’s sensitive information.  DilSe.IT is hosting a free training session for Ace Hardware store owners and managers on December 12th, 2023.  Click the image below to register.

Take Cyber Security Seriously

You go to great lengths to protect your store and your inventory from shoplifters and burglars.  It is equally important to protect your business’s digital assets from cyber criminals.  The average cost of a cyber attack on a small business is $30,000 – way more than the average loss from a shoplifting incident or even most burglaries.  Sixty-percent of small businesses that suffer a cyber attack go out of business within half a year.

The costs of a cyber attack can be enormous:

  • Days or weeks of lost revenue – the Ace Corporate cyber attack lasted 6 full days.
  • Damage to your company’s hard-earned reputation – all 50 states require you to post a permanent public notice of a data breach on your Website.
  • The cost a ransom to regain access to your data and paying a ransom doesn’t guarantee the criminals won’t sell your data on the Dark Web resulting in additional attacks.
  • The cost to pay for identity theft protection for 2+ years for customers and employees whose information was compromised.
  • If you’re not PCI compliant, you could lose the ability to process credit cards or a period of time and 80%+ of an Ace store’s business is typically on credit cards.
  • If you’re not PCI compliant, your insurance company can elect to not pay-out on your cyber insurance policy because you are in-violation of your merchant services agreement.

Now is the time to start your journey to be more cyber secure.  After the recent Ace cyber attack, stay alert and get started today!

For more information, please email us at DeskOfAndy@DilSe.IT