Safety first: Lessons from the cyberattack on WPP

The cyberattack on WPP raises questions about agencies' role in data protection.

When the Petya ransomware attack hit WPP last week, crippling the systems of many of its agencies including J Walter Thompson, Maxus, MEC, Ogilvy & Mather and Y&R, the company’s corporate crisis-management machine sprung into action at a speed that its IT department could only eye with jealousy.

Staff from affected agencies were ordered into lockdown and to await instructions from WPP’s group IT function. Employees were also for-bidden to talk to the press while the problem was being resolved. In some instances, they were told to shut down their computers and servers completely (resulting in some creatives turning to good old-fashioned pen and paper). However, as the impact of the cyber-attack varied from agency to agency, there was no panacea.

WPP’s head office released a series of bland statements that understand-ably sought to reassure clients (and investors) that it was "working with our IT partners and law-enforcement agencies to take all appropriate precautionary measures, restore services where they have been disrupted and keep the impact on clients, partners and our people to a minimum."

The attack, which is thought to have originated from a WPP shop in Ukraine, was intended to bring chaos, not to obtain sensitive information 

Sir Martin Sorrell was quick to declare that WPP was "open for business". But this was somewhat contradicted by pictures that emerged on social media of people staring at blank screens or playing foosball. Some announced that they had been sent home, while others joked that they were considering alternative methods of communication – such as carrier pigeons – to stay in touch with the outside world. Other comedians were quick to blame Publicis Groupe’s artificial-intelligence platform Marcel, the development of which was announced in Cannes the previous week. 

But WPP insiders say the situation was far from funny and that they were working in an environment that, if not chaotic, was hugely disruptive.

When the first ransomware messages appeared on some PCs (Macs were not as badly affected, suggesting this was a Windows problem) in agencies across London, disaster recovery plans were activated. Staff were told to bring their own laptops to work. WhatsApp groups were created, with key messages cascading down from senior management on how the situation was being resolved. 

Priority was given to ensure trades could continue to be made and Xaxis, Group M’s programmatic trading platform, was said to be unaffected. Within media agencies, priority was given to search and paid-for social teams, while one insider said other trading departments bought Macs and went to work in local coffee shops.

The attack does not appear to have been as severe as initially feared

For some, the investment in new kit was welcomed – some agencies are said to rely on outdated Lenovo laptops. Certainly, IT infrastructure is something that WPP has been forced to look at. In its 2016 annual report, the company acknowledged that many of its businesses had systems that didn’t talk to each other and that it was in the second year of a multi- year programme to transform its IT capability. The report added, perhaps presciently, that the project was needed to enhance data security: "A failure to provide these functions could have an adverse effect on our business."

In fairness, the attack does not appear to have been as severe as initially feared. Early indications suggest that no client data was breached, despite the fact that many agencies (across all holding companies) have direct links with clients via dashboards. The assumption is that the attack, which is thought to have originated from a WPP shop in Ukraine, was intended to bring chaos, not to obtain sensitive information. It is understood that the situation has not yet been completely resolved as Campaign went to press.

The whole affair does expose the fact that advertising holding groups are as vulnerable to cyberattacks as any other company or public body. In an age of programmatic buying, advertisers have understandably been reluctant to share their data amid concerns about agencies aggregating their data with that of other clients, particularly after the furore over brand safety and inappropriate content. But for ad groups, which have been making such a play for clients’ data, the irony that their own security has been found wanting is not lost on anybody. 

Following this cyberattack, the narrative perhaps needs to move from brand-safety protocol to agency- safety protocol. Access to data has led to discussions on marketing effectiveness – but it has also started a debate about whether agencies can fully be trusted with it. 

Subscribe today for just $116 a year

Get the very latest news and insight from Campaign with unrestricted access to , plus get exclusive discounts to Campaign events

Become a subscriber


Don’t miss your daily fix of breaking news, latest work, advice and commentary.

register free