Cyber-Harm and Who Would Want to Be A CSO/CIO?

How much can a data breach cost? Well, for Uber it was around $21 billion and also cost the CSO his job. For Equifax, it is at least $1.6…

Cyber-Harm and Who Would Want to Be A CSO/CIO?

How much can a data breach cost? Well, for Uber it was around $21 billion and also cost the CSO his job. For Equifax, it is at least $1.6 billion.

Cyber-harm

In order to understand the effect of a cyber incident, it is important to understand its impact and the harm done. Within the Sony hack of 2015, the company had to cope with both reputational damage, and also with the psychology damage of the leaking of millions of documents and 100s of thousands of emails from senior executives within the company. Agrafiotis et al [1] defines a taxonomy for understanding harm and which is outlined in Figure 1. This defines a number of main categories and the subtypes of harm:

  • Psychological harm. This might related to the mental health issues that is caused from the incident. This can relate to both internal staff who have to cope with the incident, or on those who have been targeted. The effect of a hack on the personal finance of a customer, for example, can have serious implications, and in the most extreme cases could lead to suicide. This can relate to the general issues that are caused within society around an incident. The Cambridge Analytica scandal caused widespread concern around the way that social media companies generally handle personal data, and the consent levels that are applied. Key emotions that could relate to an incident could be confusion, discomfort, frustration, worry/anxiety, embarrassment, shame, feelings of guilt, loss of self confidence, and general negative feelings.
  • Economic harm. This is the economic effects that an incident might have on an organisation, such as for disrupted operations or sales, and also in terms of the financial loss of those involved in the incident. It might result in a reduction of customers, profits, growth, investment, and in stock prices, and which could lead to a loss of jobs. While there is evidence of cyber incident having an initial effect on the stock price of companies, the longer term damage is not quite as apparent, and stock prices often bounce back. Extortion, too, can lead to significant economic harm, such as for ransomware payments or for DDoS threats. A more direct impact can be the theft of finances, compensation pay-outs and in regulatory fines. In order to cope with the incident the organisation may be hit with investigation costs and PR response costs.
  • Psychological harm. This might related to the mental health issues that is caused from the incident. This can relate to both internal staff who have to cope with the incident, or on those who have been targeted. The effect of a hack on the personal finance of a customer, for example, can have serious implications, and in the most extreme cases could lead to suicide. This can relate to the general issues that are caused within society around an incident. The Cambridge Analytica scandal caused widespread concern around the way that social media companies generally handle personal data, and the consent levels that are applied. Key emotions that could relate to an incident would be confusion, discomfort, frustration, worry/anxiety, embarrassment, shame, feelings of guilt, loss of self confidence, and general negative feelings.
  • Reputational harm. This relates to the harm that an incident can have on the reputation of an organisation, and could relate to damaged relationships with customers, suppliers and partner relationships. These could lead to reduced business opportunities and result in the loss of key staff and also in the inability to recruit staff. There can also be a continual probing and scrutiny from media outlines after an incident. Facebook, for example, have been continually probed for the privacy methods after the Cambridge Analytica probe. In a worst case, the organisation many actually lose their certification to act in the key market places, with a reduction in credit ratings.
  • Social and Societal harm. This relates to the general harm that an incident can create within society, such as where there is a loss of trust in an organization, and the resultant effect that it can have on employees in the organisation. There might also be a disruption around daily activities and to business operations. In 2017, Capita’s systems were knocked out for at least two days, and affected council and NHS infrastructures around the UK (including Sheffield City Council). It related to a power failure in West Malling, London, and where generators failed, and shut down the whole of the data centre.
Figure 1: Cyber harm taxonomy [1]

A $21 billion Uber problem

In 2016, Uber leaked the data of around 57 million users and of 3.7 million drivers. This included names, email addresses, and mobile phone numbers of users. In the end, Uber took over a year to actually report the breach, and actually initially paid the hackers $100,000 for a bug bounty reward.

It occurred when hackers were able to gain access to Uber’s GitHub account, and where they found the login account details for Uber’s AWS account. With these account details, the hackers then managed to offload 16 large files and which included passengers names, phone numbers, email addresses, and location details.

Uber put the blame on their chief security officer — Joe Sullivan — and who was replaced as part of the mitigation plan. As with Yahoo, the company announced the breach at a time when part of their company was being acquired. And so over the course of the months after the breach was announced, the valuation of Uber dropped from $69 billion to $48 billion. Uber lost a great deal of their reputation around the hack.I n the UK, the breach affected around 3 million UK-based users, and resulted in a £385,000 fine from the ICO, and while in the US they were fined $148m for not notify drivers about the breach.

Equifax

In 2017, Equifax released details that an unpatched vulnerability on their Web infrastructure had resulted in a breach of data for 147 million of its consumers. Equifax’s CEO at the time was Richard Smith, initally blamed his IT staff for falling to patch their systems, but the report reveals that their infrastructure was riddled with security problems and a general lack of investment in security.

Along with this, Equifax’s infrastructure suffered from many problems, including continual crashes, and incorrect results showing up in searches. The main failing in the breach was the failure to patch their Apache Struts infrastructure, even though a major vulnerability had been announced many months previously. In fact, their whole data architecture was creaking and used a near 50-year-old web infrastructure. The vulnerability allowed intruders to access Equifax’s data from a shell command and where they remained unnoticed for over two months. From the initial pivot point, they then had 256 accesses to the system and made over 9,000 data queries. In return they managed to gain access to an unencrypted file containing passwords and over 40 databases of unencrypted customer data.

Equifax was not able to detect the accesses as their network scanner had been idle for around 19 months, as it was inactive due to an expired certificate. It then took another two months for Equifax to update their expired certificate, after which the accesses were detected. The company took another two months to actually report the breach (before which some staff sold off their shares in the company). And so Equifax was hacked in September 2017, but failed to patch a vulnerability in Apache Struts 2 (CVE-2017–5638) and which was published in March 2017.

For Equifax the cost has been at least $1.6 billion, and where the company has had to invest over $1 billion in improving their security, and will have to pay $425 million to a Consumer Restitution Fund, along with a $175 million payment to several US states.

Target Stores

In December 2013, Target Stores released details that they had been hacked over several weeks, and where around 110 million credit and debit customer details had been compromised. The CIO and CEO eventually resigned a few months after the announcement, and recent estimates put the costs at around $162 million.

Heartland

In March 2008, Heartland Payment Systems was breached with an SQL injection, and where the credit card details of 134 million accounts were breached. The hack was eventually detected by Visa and Mastercard and who reported — in January 2009 — that there were many suspicious transactions occurring from account holders related to the company. A major impact for Heartland was that the lost their compliance for several months around Payment Card Industry Data Security Standard (PCI DSS). They also ended-paying around $145 million in compensation for related fraud.

Yahoo

One of the largest data hacks was in 2013, and where Yahoo leaked around three billion user accounts, including their email address, date of birth, and telephone number. While not confirmed, the company reckoned that the majority of the hashed passwords used the bcrypt method (and which is more difficult to crack than traditional methods such as LM, MD5 and SHA hashing methods). At the time Verizon were looking to take over Yahoo, and the breach is thought to have reduced the valuation of Yahoo by $350 million. The Marriott International group were affected from 2014 to 2018 with a leak of data around contact info, passport numbers and credit card details. In the end the breach affected around 500 million customers. It related, initially to a hack on Starwood hotels, but, after they were taken over by Marriott International in 2016, they remained unnoticed until 2018.

JP Morgan Chase

In 2014, hackers managed to gain access to 83 million accounts within JP Morgan Chase, and which resulted in the company making significant investments in their IT infrastructure, and, as with Uber, they ended-up replaced their CSO. Within the hack, the hackers managed to get root access to more than 90 servers within the infrastructure, and managed to transfer funds and close accounts. It is thought that hack brought profits of over $100 million.

A number of customers were in the end impacted through financial fraud. The cost to JP Morgan Chase is not known, but the company has invested intensively in their security practices, and is likely to have cost several billion dollars. A recent estimate of JP Morgan Chase’s spending on security is $250 million per year.

British Airways

In 2019, British Airways (BA) discovered a hack of around 380,000 credit cards details from customers of its site. The focus of the hack involved the replacement of the modernizr-2.6.2.js file and where a backdoor was inserted so that when credit card details were posted, they were also posted to the hacker’s site (baways.com). The hack was thought to have been running for around 15 days on the British Airways. Since then BA was been ordered by the Information Commissioner’s Office (ICO) to pay £183.39 million ($230 million) for a lack of protection of citizen data.

Sony

In April 2011, the Sony PlayStation network was hacked for 77 million accounts — full names, passwords, e-mails, home addresses, and purchase history — and 12 million unencrypted credit card details. It caused its gaming infrastructure to be down for around four weeks. It had an estimated cost of $171 million, along with a class action lawsuit which cost $15 million.

Home Depot

In September 2014, Home Depot reported that the credit/debit cards of 56 million customer has been breached. The hack had been running for several months, and involved the installation of malware on POS (Point-of-Sale) devices. The company estimates that the breach cost $161 million, include over $19.5 million in compensation to customers, $6.5 million for customer protection services, and, at least, $13 million for other related customer expenses.

Anthem

In February 2015, Anthem — the second largest health insurer in the US — announced that around 78.8 million customer detail had been breached. 
The breach included names, addresses, Social Security numbers, dates of birth and employment histories. The cost of the breach is through to exceed $100 million. Up to the current time, there has been little evidence that the details breached in the hack have actually been used to steal an identity.

RSA Security

In the security industry, RSA Security had been a guiding light in the application of advanced cryptography methods. But in March 2011, they announced that it was likely that 40 million employee records had been breached. It involved the penetration of the RSA Security from outside, and resulted in the intruders stealing information on SecurID authentication tokens. The overall remediation costs is thought to be around $66 million.

Others

In 2015, the Ashley Madison site leaked over 33 million accounts, and where users were targeted for blackmail. Then, in October 2016, Adult Friend Finder reported that the FriendFinder Network — which included Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com — reported a breach of over 412 millions and which covered around 20 years of data, including names, email addresses and passwords. Unlike the Yahoo hack, the networked used a weak password hashing method (SHA-1), and where most of them were cracked within two months of the data breach.

In May 2014, eBay announced that a hack of 145 million accounts had released the details of names, addresses, dates of birth and encrypted passwords. The hackers used the credentials from three trusted users from the company. Overall it had little effect on the company, and reported revenue up by 13% in the quarter after the hack.

Conclusions

Tell your CEO, that a breach can be expensive, and that it’s their responsibility to properly understand risks, threats and harm. If you are a CSO or a CIO, be at little worried that the buck me stop at your door.

References

[1] Agrafiotis, I., Nurse, J. R., Goldsmith, M., Creese, S., & Upton, D. (2018). A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity, 4(1), tyy006.