In March 2022, Lowell was subject to a cyber attack in our DACH region, affecting our business in Germany, Austria, Switzerland, and Croatia. The attack was a ransomware demand carried out by a well-known cyber crime group and was part of organised criminal activities.

    A swift response was clearly needed, and we immediately put in place our crisis response plan to contain the attack and set up a crisis management team capable of swift decision making. Our IT systems detected the breach and we immediately acted to implement counter measures, shutting down all our systems in the region and disconnecting them from external connections, in accordance with our guidelines. We also notified the relevant authorities, such as the relevant data protection authorities, and our expert IT specialists and a team of forensic experts got straight to work on identifying and rectifying the issues affecting our systems.

    Of course, this decisive action did mean that our ability to interact with our customers and clients was severely impaired. Our colleagues were also unable to access the systems they needed for their work. It was imperative that we contacted our colleagues, customers, and clients to inform them of the situation as quickly as possible and then keep them updated regularly. Open, transparent, and swift communication to all affected parties was essential and at the heart of our actions.

    We were able to contain the attack, though our systems were out of action for some weeks. No ransom was paid to the criminal group, and while this did result in data being stolen, we did our upmost, in close cooperation with the responsible authorities, to advise potentially affected individuals on how to protect themselves. Following our notification to the relevant authorities in line with GDPR requirements and ongoing open and transparent communication, data protection authorities informed us that they will neither proceed with any further investigations nor apply sanctions or other measures.

    Our response to the cyber-attack in the DACH region was guided by our values, and in particular Responsibility – earning trust by being open, reliable, and accountable with everyone who was affected by this inside and outside the business.”

    Susanne Schneider

    Chief Risk Officer, DACH

    This was undeniably a serious attack and caused major disruption to our business. But, besides a rigorous learning process to identify all areas where we could further improve our security measures (which we have now done), we believe that our actions and handling of this incident are equally important. Hence, our response was guided by us values, and in particular Responsibility – earning trust by being open, reliable, and accountable. Our customers and clients have told us how much they appreciated our openness, and the proactive efforts we took to communicate with them throughout this time. What could have been a damaging episode has, in fact, strengthened the bond of trust between us and those with whom we work.

    That’s why we believe our values are there to help us in moments of critical decision making and in this way we are living up to our sustainability ambition as a ‘Responsible Business’ to be resilient, ethical and transparent in all of our actions.