A Middletown marketing agency was left in ruins by a cyber-attack that left more questions than answers
Travis Rothstein’s Middletown-based ConnecTheDot marketing agency was cyber-attacked last fall. Before the attack, the company had $10 million in annual billings, 120 relationship-based clients (and thousands more online), and 23 employees across the country.
Rothstein ran a company with a great deal of marketing expertise so you would think he’d be prepared for a cyber-attack. But less than a year later, it’s all gone.
Participants in our recent Cybersecurity Roundtable repeatedly said that nobody believes a cyber-attack will happen to them. The fact that it happened to a business with a lot more digital expertise than most small-business owners sends a powerful reality check.
This is Travis Rothstein’s story in his own words. DBT has decided not to identify some people in this story and cannot independently confirm what happened since the investigation is ongoing.
The two-hour interview kept returning to the question of whether he missed something or perhaps just lost his focus. Rothstein talks about his mounting frustration as consultant after consultant was unable to explain what happened. But a question at the end of the conversation about having to let his entire team go as the situation deteriorated caused him to get emotional about how he felt.
We launched a website in May 2019 for a new webinar we had developed that would help identify individuals who are “stuck” in life and/or their career. We didn’t market it all beyond a few links here and there. And that’s how I found out about what led to the demise of ConnecTheDot.
Two days after we launched, I started looking at the analytics and realized that 99% of our traffic was coming from outside the United States. We anticipated 200 page views, but we had more than 12,000 coming from Russia, Hungary, China and Budapest.
That’s when we realized we had been cyber-attacked and that someone had submitted us to what’s called a bot farm, where basically there were suddenly 173 versions of our website in 179 languages – none of which we controlled. These bot farms were essentially taking our website traffic and reselling it to third-party distributors as ad traffic.
Most of the issues were coming from our e-commerce platform, which normally drives about 30% of our business. For that segment of our business, we don’t directly interact with individuals. If someone needed a graphic design – just a one-off – they could pay and it goes to my team, and all the content that we created was designed to drive customers to our site.
Our e-commerce sales declined 11% between September and October 2018, to the point where I started writing a paper about marketing becoming a commodity because we thought it might simply be a pricing issue: Two years ago, I could get $300 for a graphic design; $75 is a lot to ask for [the same work] today.
We weren’t losing clients, but we also weren’t picking up new clients, and in retrospect that was because the cyber-attack was designed to block us from receiving forms or phone calls from our website. Clients would think they submitted the form, but we weren’t receiving them and the cyber-attackers had changed our phone number on all the sites.
In other words, the analytics that we were seeing weren’t real. In October 2018 we had an email issue where we received 5,000 emails every minute and it crashed our server. Once I told the cyber forensics team that, they immediately said it was a DNS (domain) issue and that took the investigation to a whole different level.
It wasn’t a case of us being asleep at the switch – although I can understand how you might think that – but we talked to the FBI, cybersecurity specialists and forensic people, and data-breach attorneys out of Germany and none of them could explain what happened. We had to file a dispute with our internet service provider (ISP) because to this day the people I’ve been dealing with believe they cyber-attacked the DNS servers and our ISP couldn’t – or wouldn’t – help us.
Everyone started pointing fingers at each other. Our ISP said it must be our hosting provider. The hosting guys did all these malware scans, everything. We blocked IP addresses. I even spent an entire week working on one IP Zone file and they said, “Nope, it’s not at this level” and said it must be our ISP.
All this literally took us from a $10 million company to zero in just a few months. I ultimately had to decide about continuing to go on. We had an ad system that always drove traffic. But from October to April of this year, those ads were getting zero penetration, so we no longer had any idea whether we had an audience that weren’t criminals.
We installed different analytics and that’s when we saw it because Google Analytics only goes to a certain level of detail.
The insurance company asked the same question you are: “How come you didn’t catch on to that?” Well, if you’re not looking for that type of stuff, how would you know? I guess I could’ve hired an in-house IT person that did forensics. I could’ve had a cybersecurity person. I could have tried to spend more on cybersecurity, but we really felt that everything was already secure.
We wondered whether it was a strategy or execution problem. Our ads weren’t working, no one’s filling out a form, no one’s calling us.
Is there anybody out there?
We spent $1,000 on Facebook for an ad that ran two days in the fourth quarter and got zero leads. Facebook said they’d get back to us and they just issued a refund. Our forensics people said it was click fraud and we gave that information to Facebook, but never heard back from them.
The only new business we were getting was from people who had our information and could send a direct email or talk to me. Since nothing online was working, we ultimately cut off our Facebook and other digital ads in early March. We had been told that our ads had been reaching this many people and were getting clicked on, but we weren’t seeing any conversions. We started reaching out to the social-media platforms, asking how do you explain that these ads are converting, but we’re not getting any phone calls, we’re not getting any email acquisitions. We’re not even getting referral traffic from that ad, but you’re saying we are.
Our website traffic patterns didn’t shift. They stayed at around 50,000 per month, even though we stopped advertising. And we still weren’t getting conversions.
Keep in mind that the professionals couldn’t figure this out. I’ve talked to 19 different companies to help me figure out the problem to the point where my insurance company is willing to spend up to a million dollars on data recovery to figure out what’s going on. It all boils down to first party and third-party coverage from the insurance company policy.
Some of these companies said it was an internal breach. And then one of the cybersecurity guys advised us to stop dealing with our current clients; they told us to stop doing digital marketing because we didn’t know the source of the problems.
I was warned that I could be putting all my clients at risk, which would mean they could come after us if they had a similar experience. I sent them all an email and told them we had been cyber-hacked. Fifty percent said they were out. The other 50% said they’d stay.
Everyone agrees, the one thing we know for a fact is it was not an internal breach and it’s not linked to any of our clients.
‘I was truly stuck’
Back in March, I started working with a different mentor and had the chance to tell somebody else what was happening with my business. I had a feeling – and I still get choked up about it – that I had no voice. I liquidated my 401(k). I maxed out my credit cards to pay my employees because it was the right thing to do. I was afraid to post anything on social media.
I got to a point where I stopped taking people’s phone calls and people asked why I wasn’t responding to email. And it was because I didn’t know what to do. I was truly stuck.
We got a lot of advice. One company told me they’d help us, but we had to do the work. I had to create a thousand-page document that basically blocked all traffic from outside the U.S. so now anything we did internationally, completely done, like never again. When we did that, we noticed that, that the traffic issues minimized by 80%, now today it is 100% resolved.
We changed the name servers and the DNS stuff. That led to zero responses from any outside country, meaning we’ve quarantined the issue. The problem is, is now getting our ISP to admit that it was their issue. But I have to admit that I never would have guessed there would be a day when getting zero responses would be a good day.
We had 3,000 online clients over the past five years, and 120 relationship-based customers. Now it’s zero because I can’t get [liability] insurance without knowing exactly what happened. What kind of multimillion-dollar lawsuit did I risk if I kept moving forward with my long-time clients? I didn’t lose clients; I gave them up. I didn’t want to feel like we were putting people in jeopardy even though we were being told from all these cyber-forensics and FBI people that it wasn’t an issue. It wasn’t an internal breach or any data breach that could affect them. And I couldn’t promise that they’d get great results if we ran ads for them. I couldn’t accept that.
Before this happened, I bought a cyber-policy that doesn’t even exist. I’m not even covered yet. My insurance company cannot figure out what box to check to give me coverage. ConnecTheDot is cutting loose our clients because we can’t afford the risk if something happened to them. And because of that, I couldn’t afford to keep my employees on payroll. I can’t afford that.
What am I doing today? Working on a new business endeavor that offers an arsenal of information and a step-by-step guided process to help individuals/companies move from stuck to fulfilled when a cyber-attack happens. We have been diligently working on this ever since the cyber-attack happened with plans to launch this new business in early 2020. We’ve all been stuck, with no voice and no place to go. After countless hours fixing what the cyber thieves stole, along with the hours battling and dealing with the insurance company on a resolution, we will not let this incident remove us from what we do best: helping people and helping companies. Stay tuned to what I believe will become the next pillar of combating this cyber delusion that is taking place daily.
I wanted to tell my story because people need to hear that it’s OK to ask for help. Before you ask for help, you wonder what’s my team going to think? It’s lonely. When you finally sit there and say, “I need help,” it’s a sign of strength. My mentor said, “The smartest thing I’ve ever heard from you is you actually asking for help, because now I know the whole story. And that’s why I can never help you.” He said just tell me the whole truth and I did.
This interview has been edited for length and clarity.