Nana Banerjee, the chief executive and president of The Weather Network’s parent company, Pelmorex Corp., had a sinking feeling in his gut.
Around 1 a.m., he began looking at his e-mails, as he tends to do when he isn’t able to sleep. He found himself looped in on notes from the company’s production teams. Some systems weren’t working properly.
“This thing is down, that thing is down. We’re figuring it out. We don’t know why,” he remembered, months later, of those early-morning hours.
He paced fretfully, scouring for updates. The skies outside his windows were turning bright when it all started to make sense: This was likely a hack.
Pelmorex was about to learn that it had joined the growing ranks of companies around the world that have been targeted by ransomware, a type of malicious software that allows hackers to lock organizations out of their own files until they agree to pay their attackers exorbitant sums of money.
In the coming weeks, the attack would roil the company and strain its computer systems, which in addition to supplying weather information also control Canada’s national emergency alert system, Alert Ready.
In a candid interview at his New York home, surrounded by towers of books and an assortment of artwork, Mr. Banerjee described how Pelmorex worked to limit the damage.
He recalled hopping on a plane on Sept. 11, the morning of the attack. Within hours, he was at the company’s headquarters in Oakville, Ont. Most of the office’s employees work remotely. But for this they were summoned to huddle in person.
It was going to be a hectic, fraught and restless Monday. “What is our reaction here?” Mr. Banerjee wondered at the time. “Should we be turning everything off? How long should that last? The list goes on and on and on.”
Pelmorex had been locked out of many of its files, and there was a ransom note attached.
While the company figured out what to do next, it turned off nearly every one of its computers. Its mobile applications and websites – including the French-language MétéoMédia, El Tiempo in Spain, O Tempo in Portugal, Clima in Brazil, and other weather services around the world – were incapacitated.
Mr. Banerjee called the attack Pelmorex’s biggest crisis to date.
“Now that I have the benefit of hindsight, I can tell you simply that it was a distraction and loss we just didn’t need,” he said. “It was a nightmare.”
Mr. Banerjee arrived at Pelmorex only five months before the cyberattack, after holding senior roles at Citibank, General Electric and McGraw Hill. He had never seen a breach like this before.
No hack ever comes at a good time, but this was a particularly inopportune moment for a weather-information distributor to be hit. The Atlantic hurricane season was in full effect, and Hurricane Lee was menacing Canada’s East Coast.
It didn’t take long for the public to learn something was wrong. Weather Network app users almost immediately noticed an interruption in services. Newspapers, including The Globe and Mail, publish Weather Network forecasts, and would soon find they were unable to do so.
Pelmorex had to decide what information to divulge, and what to withhold. The company wanted to avoid saying anything incorrect, or that it wasn’t yet sure of, Mr. Banerjee said.
Immediately, there were worries about Alert Ready, which Pelmorex owns and operates. The warning system pushes alerts to all TV and radio stations in Canada, and was made mandatory on cellphones in 2018. It’s used for emergencies such as child abductions, climate catastrophes and active gun violence.
Mr. Banerjee said the company had always kept those systems separate, as a preventative measure, and that they were not affected by the hack.
“The only thing we did find concerns with was that we are also the last-mile distributors for the prompts coming for Alert Ready, and our distribution was affected,” he said. “But we had a lot of backups for that – and there were backups for the backups with Alert Ready.”
Well before the hack, the company had sketched out a plan for a massive upgrade of its weather forecasting system and methodology. By September, the project was supposed to go ahead in a matter of days. With the hack continuing to disrupt its systems, the company decided to proceed earlier than planned.
While it did that, it needed a way of restoring as much of its existing networks as possible. And so it turned to backups.
Mr. Banerjee reassigned a group of employees who ordinarily work on business-to-business commercial ventures. Now they were instructed to switch their APIs to service the company’s consumer-facing side.
APIs, or application programming interfaces, are pieces of computer code that allow two or more software applications to communicate with one another. Weather apps, such as the ones on smartphones, rely on APIs to access and provide weather data.
By around 6:30 p.m. on the first day of the hack, the company had rearranged its APIs to make sure at least some weather updates could be sent out to Pelmorex customers, Mr. Banerjee said. “That gave us the room to breathe again, so we had some time to assess which switches to slowly turn on.”
“Then, there was – and this is really the heart of the situation – the element of fear,” he said. “How do we know if the hackers are still in our systems? Are they looking at or watching us?”
The only safe way to go back to normal was to reconfigure everything. But even that wouldn’t have guaranteed that the cyberattackers had been locked out, Mr. Banerjee said. To make that conclusion, Pelmorex would have to rely on external cybersecurity experts and the police.
“You literally go through every computer, every remote device belonging to even contractors, all our people, just literally every single thing,” he said. “We were all scanned, first at the high level, assessing what our machines are communicating to the outside. Then, we were scanned on the inside to make sure there was no malware there.”
The next day, by 7 p.m., Pelmorex was able to relay full versions of its weather forecasts. It wasn’t easy, but the process kept getting smoother.
Still, the hack caused “massive issues of trust with customers, advertising agencies, and our other media partners” that relied on the company’s weather data, Mr. Banerjee said.
“We’re in a competitive space, there’s no doubt about it. We had many folks who liked us but were moving away for their weather on Apple or elsewhere because they didn’t want to deal with us and our problems.”
Pelmorex was still pondering whether or not to pay a ransom.
A week after the start of the attack, the notorious Russian malware group LockBit threatened to leak the company’s data within a few days if it didn’t pay up by Sept. 24. The hackers claimed they had “downloaded a lot of databases” and that they would publish them on the dark web, a corner of the internet often used for illicit purposes.
Mr. Banerjee was not perturbed. “By then, we knew what they had,” he said. “And if indeed that was the totality of what they had, it was like some – for a lack of a better way of describing it – gym clothes in a bag.”
This is when the company decided not to pay the attackers. Mr. Banerjee knew that they would start releasing information at some point. Pelmorex, he said, just had to bear it.
Many business leaders would have chosen to pay the ransom, Mr. Banerjee noted. Ultimately, the company realized doing this would put it in an even worse position. “Because then the bad actors could try this again and get money out of us.”
“Once we got on the other side of it, we’d be able to confirm there was not much of a difference between what data they had versus what we thought they had,” he said. “What they kept doing here was playing on our fears.”
After that, the recovery process became a daily check of what services Pelmorex could turn back on, one step at a time.
As the effects of the hack carried over from September to October, each day felt like a milestone.
“‘Oh, look, we hit the three-day mark since things have been okay,’ ” Mr. Banerjee recalled. “ ‘Oh, look, it’s been four days now.’ That’s how we measured things.”
These days, Mr. Banerjee frequently finds himself wondering why exactly Pelmorex was targeted. “There is an almost romantic notion of Alert Ready, and the hackers trying to impact national security,” he said.
“But I’ve come to the conclusion that they have a list. It’s a list of businesses that are rank-ordered based on their revenues posted on public websites. They basically go through that list and put their efforts to seeing what they can infiltrate.”
He said he believes most hacking groups are state-sponsored entities. “They’re targeting businesses because that fits in with their broader agenda,” he added.
The RCMP and the federal Communications Security Establishment have aired similar concerns. In a recent report, the agencies said Canada’s national security and economic prosperity will increasingly be threatened by organized cybercrime over the next two years, as hackers – mostly from Russia – attack critical infrastructure and high-value businesses.
Mr. Banerjee said he wants other business leaders to be cautious. He added that this is partly why he has chosen to be transparent about his experience. He is urging others to do the same.
“These hackers are incredibly sneaky,” he said. “They have ways of constantly trying to figure out what software you’re running, because they’re trying to emulate exactly that unique software, so they can fake into your systems.”
“They spend a good month doing research on you. They know exactly who you are and what your company is. You’re looking at millions and millions of dollars of losses if Canadian businesses are not prepared.”