Bankrupt by Wrong Cybersecurity!

We have heard something like this: a company has never gone bankrupt product of a data breach or a hack. Some of us at Fluid Attacks were a bit skeptical about that ‘fact.’ We looked for contradictory evidence; confirmation bias is a thing. Here is what we found.

Target, the giant retailer, suffered one of the most significant cybersecurity incidents in the past decade. Back in 2013, a cybercrime group stole credit card data from around 110 million users from Target’s databases, by implanting malware after exploiting some IT weaknesses. In 2017, Target settled for USD 18.5 M.

A more recent incident is Equifax’s. The hack was performed between May and July of 2017 and affected more than 143 million people. The data included: full names, Social Security numbers, birth dates, addresses, and driver license numbers. It is striking the apparent permissiveness of judicial systems to make the corporation accountable for the incident, given this hasn’t been their first. A history from Bloomberg is worth reading. The settlement, in this case, was reached at USD 700 M.

A final example is what recently happened to Capital One bank. Around 100 million users’ data, specifically, credit card application data, were stolen. A suspect has been arrested and accused of stealing the information due to exploiting a misconfigured firewall. Some news outlets say the company estimates the incident will cost them between USD 100 M to 150 M.

Other corporations like Marriott International, Adobe, Uber, Experian, Yahoo!, and Sony have had significant cybersecurity incidents well covered by the press. Which of them is out of business?

Some critical aspects of the previous section are the size of the costs, the impact of the incidents, and the vulnerabilities present, leading to risk materialization. How many companies could settle for USD 18.5 M? Just a few. There is no doubt that the majority of firms are not in a position to face a similar event. Smaller firms (mostly in headcount) could now cause tremendous harm by allowing data breaches (as an example, think about a company with less than 50 employees, with revenue exceeding USD 3 M, and managing tons of user healthcare data). Those same IT weaknesses are probably present (even more prevalent) in smaller companies.

MyBizHomepage was founded in 2006. Its valuation at that moment was around USD 100 M. After the service was launched (2008), the principal co-founder fired the firm’s CTO after knowing the guy was creating direct competition for the firm with two more people. The reason? The company declined a proposal to be sold for nearly its valuation; the CTO didn’t like the decision. The ex-CTO had implanted some backdoors to remote-control the IT infrastructure, including backups, and started crashing MyBizHomepage, making it unusable. The company couldn’t retake control and had no choice than shutting down in 2009. A wave of legal actions began from investors who lost a lot of money.

What is more: the ex-CTO, the internal investigations found, was untraceable. "But Mr. Justen said he did not realize that the chief technology officer had no official identity: no driver’s license, no credit cards, no tax returns. The chief technology officer apparently had been living off the grid, which made tracking him down almost impossible even with the help of the authorities". More details on this story can be found here.

Youbit, a small South Korean bitcoin exchange, went out of business by suffering its second hack in 8 months, back in 2017. Cybercriminals stole 17% of its assets. The first hack accounted for a loss of 4,000 bitcoins worth USD 73 M in April. No technical details of the incident are known. South Korean officials accused North Korean cyber-spies responsible for the robbery.

There are many other cases related to bankruptcy and cybersecurity incidents. Mt. Gox, a Japanese digital currency exchange, had a fate similar to Youbit’s, following hacks in 2011 and 2014. "Mt. Gox lost about 740,000 bitcoins (6% of all bitcoin in existence at the time)". An interesting story was written by Hersh Shefrin, Professor of Finance at Santa Clara University. Concerning the recent US-China crisis, he made a case for a high-level hacking making Canadian Nortel Networks go bankrupt by a well-known Chinese corporation. In 2010, another company, Little and King, went bankrupt after its bank account was emptied. The owner’s computer was infected by the Zeus Trojan, which stole personal and financial information, probably by keylogging. Finally is worth mentioning the case of Westinghouse Nuclear, which filed for bankruptcy in 2017. The details of the story point to bad project management, but indictments also point to Chinese hackers that stole intellectual property.

Want to read similar stories? - American Medical Collection Agency (AMCA) - Mossak Fonseca - Colorado Timberline - Code Spaces

We should update our beliefs about the impact cybersecurity can have. More prominent players gain most of the attention; smaller ones remain in the shadows, waiting to be found. The SMBs indeed face huge risks when their data and IT assets are not well protected and supervised.

Nevertheless, there are actions and processes SMBs could establish to manage those risks better. One of them is to be proactive and integral in testing, and we mean testing by attacking. As many of the cases reviewed here, it all began with one or more weaknesses exploited by an attacker. At Fluid Attacks, we excel in proactive security testing:

We hope you have enjoyed this post, and we look forward to hearing from you. Do get in touch with us!