Cybersecurity February 20, 2018

How NOT to handle a data breach: 3 lessons from the world's biggest cyber attacks

Anonymous mask


Unless you work in the tech world, you may not be familiar with the name Robert Tappan Morris. Morris, alongside his business partner Paul Graham, founded Y Combinator, a seed funding accelerator which provided initial capital that launched the likes of Dropbox, Airbnb, and social forum Reddit into the stratosphere.

But Morris has another, even more influential claim to fame. He conducted the first ever cyber attack, and as a result was the first person convicted under America’s Computer Fraud and Abuse Act. The virus in question - the Morris Worm - was, he said, unleashed to measure the size of an ‘internet’ then still in its infancy. What it actually did was bring 6,000 of the 60,000 university and government computers attached to the network to a grinding halt, causing between $100,000–10,000,000 worth of damage according to the U.S. Government Accountability Office.

Skip forward to 2018 - where an estimated 31 billion devices are connected to the internet worldwide rather than 60,000 - and cyber crime is BIG business. According to The Official 2017 Annual Cybercrime Report, cybercrime damages will cost the world $6 trillion annually by 2021.

Scarier still, according to The Atlantic, being hacked is virtually inevitable. So what should you do if your defences are breached? Or rather, what shouldn’t you do? Luckily there has been a spate of high profile cyber attacks over the last few years to give us some pointers.

DON’T: Try and cover it up

The company: Uber

When it happened: October 2016

How it happened: The company’s developers published code that included their usernames and passwords on a private account of the software repository Github,

The full story:

In October 2016, ubiquitous taxi app Uber - no stranger to controversy - was the victim of a huge data breach where hackers accessed the names and driver's license information of 600,000 drivers, and the names, email addresses, and phone numbers of 57 million Uber users.

To avoid the negative press, the management team made an executive decision to pay off the hackers to keep quiet and delete the data. They made a second decision to smother the story themselves, keeping the general public, and those affected, in the dark.

And it worked, until Bloomberg broke the story a year later. Yes, getting hacked is embarrassing and potentially damaging to both your business and your customers. But it’s far more embarrassing and damaging being caught trying to brush a huge security flaw under the carpet.

Simply, your customers have a right to know if their data has been compromised. This becomes law in May as part of the incoming GDPR (General Data Protection Regulation) which gives companies 72 hours to report breaches.

The result: Another PR disaster for the firm, plus investigations from the Federal Trade Commission over likely violated breach disclosure laws.


DON’T: Leave yourself open to further attacks

The company: Equifax

When it happened: March 2017...May 2017...September 2017...

How it happened:

  1. Attackers “gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins”
  2. Hackers exploited a US website application vulnerability.
  3. The site was manipulated again to deliver fraudulent Adobe Flash updates, which infected visitors' computers with adware when clicked.

The full story:

Consumer credit reporting agency Equifax ‘collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.’ It reported a large-scale attack on its customers on both sides of the Atlantic on July 29th 2017.

The attack, they said, happened in May 2017, where 143 million US customers’ and 400,000 UK residents’ also had their data illegally accessed. Data that included personal details like name, phone number, address, social security numbers and, in the case of the US, credit card details.

However, in September 2017, it was reported by Bloomberg that Equifax had learned about a separate major breach of its computer systems in March of that year - almost five months before the date it has publicly disclosed. The March attack, according to an official statement by the Atlanta-based firm was “not related to the criminal hacking that was discovered on 29th July.” But its inactivity and silence met with harsh criticism. Particularly as four of its executives sold shares before the credit-reporting firm disclosed the breach, adding a further layer to the saga.

While all this was going on, according to a report in ArsTechnica, Randy Abrams, an independent security analyst by day caught a second phishing attack this time trying to trick Equifax visitors into installing infectious adware.

To add insult to injury, a further 167,000 victims of the May 2017 data breach will receive a warning from the firm, indicating the May 2017 hack may have left them at greater risk of fraud

As a company which trades on people’s personal, secure data, Equifax should have known the PR disaster waiting to happen for. But for SMEs, the message is the same. If there’s a breach, security moves to the top of your priority list, no questions asked.

The result: The company’s shares fell nearly 19 percent after the initial breach, the PR hit was huge, and two executives, its chief information officer and chief security officer, left the company.

DON’T: Ignore your customers  

The company: Sony PlayStation Network

When it happened:  April 2011

The full story:

After Sony discovered a network intrusion by hacking team Anonymous between April 17 - 19th 2011, it shut down the PlayStation Network entirely. But rather than explain the reasons for the shutdown, users simply received a message when they tried to log in indicating that it was "undergoing maintenance”. They then kept account holders in the dark with information about the breach leaking out online in dribs and drabs while the security team reviewed system logs, servers and strange activity on the network.

In some respects, Sony did things right. The moment they spotted a potential flaw in their systems, they had internal and external experts delve into 130 servers and 50 programs to try and isolate the issue and quell it.

But online forums were abuzz with speculation, anger and frustration at the lack of information coming out from the executive team. In fact, it wasn’t until April 30th, 11 days after the attack, that any Sony executive revealed anything about the attack, with Sony’s No. 2 executive, Kazuo Hirai, holding a public press conference and apologising to customers. It took a further two weeks for Sony Chairman Howard Stringer to do the same.

Again, with GDPR demanding businesses report data breaches within 72 hours, this kind of behaviour would land businesses in legal trouble. But even in this case, the cost to the brand and the public’s trust was huge.

The result: A few failed lawsuits were brought against the company, although they were charged with a £250,000 penalty by the United Kingdom Information Commissioner's Office in 2013 for putting a large amount of personal and financial data of PSN clients at risk. The business also estimated they would lose approximately $171 million following the PlayStation Network outage.


Image credit:

via Flickr

Our gift to you...

Apply now for your personal leadership consultation with a Vistage Chair. They'll help you assess areas of strength of your business and identify areas of potential growth.

Apply Now

    Subscribe Here!