Bankrupt by Wrong Cybersecurity!How some firms (especially SMBs) can go broke
How often do we hear a company went bankrupt because of a hack? You’ve probably never heard about such a thing. What we usually see in newspapers is millions of dollars in losses, big corporations involved, public outrage, among others. The case of Target in 2013, for example, comes quickly to mind. However, similar corporations are still on the market despite those incidents.
We have heard something like this: a company has never gone bankrupt
product of a data breach or a hack. Some of us at
Fluid Attacks were
a bit skeptical about that ‘fact.’ We looked for contradictory evidence;
confirmation bias is a thing. Here is what we found.
The commonly known cases: big firms
First, we will take a look at the famous incidents to create perspective.
Target, the giant retailer, suffered one of the most significant
cybersecurity incidents in the past decade. Back in 2013, a cybercrime
group stole credit card data from around 110 million users from Target’s
databases, by implanting malware after exploiting some
In 2017, Target settled for USD 18.5
A more recent incident is Equifax’s. The hack was performed between May and July of 2017 and affected more than 143 million people. The data included: full names, Social Security numbers, birth dates, addresses, and driver license numbers. It is striking the apparent permissiveness of judicial systems to make the corporation accountable for the incident, given this hasn’t been their first. A history from Bloomberg is worth reading. The settlement, in this case, was reached at USD 700 M.
A final example is what recently happened to Capital One bank. Around
100 million users’ data, specifically, credit card application data,
were stolen. A suspect has been arrested and accused of stealing the
information due to exploiting a misconfigured firewall. Some news
the company estimates the incident will cost them between
USD 100 M to
Other corporations like Marriott International, Adobe, Uber, Experian, Yahoo!, and Sony have had significant cybersecurity incidents well covered by the press. Which of them is out of business?
The uncommonly known cases: small to medium-sized firms
Figure 1. Bankruptcy.
Some critical aspects of the previous section are
the size of the costs,
the impact of the incidents, and
the vulnerabilities present, leading to risk materialization. How many companies could
USD 18.5 M? Just a few. There is no doubt that the majority
of firms are not in a position to face a similar event. Smaller firms
(mostly in headcount) could now cause tremendous harm by allowing data
breaches (as an example, think about a company with less than 50
employees, with revenue exceeding
USD 3 M, and managing tons of user
healthcare data). Those same IT weaknesses are probably present (even
more prevalent) in smaller companies.
Here are a few stories about firms that went bankrupt due to a data breach, or at least where cybersecurity played a non-negligible role in going out of business.
MyBizHomepage: brought down by an insider
MyBizHomepage was founded in 2006. Its valuation at that moment was
USD 100 M. After the service was launched (2008), the principal
co-founder fired the firm’s
CTO after knowing the guy was creating
direct competition for the firm with two more people. The reason? The
company declined a proposal to be sold for nearly its valuation; the
CTO didn’t like the decision. The ex-
CTO had implanted some
backdoors to remote-control the IT infrastructure, including backups,
and started crashing MyBizHomepage, making it unusable. The company
couldn’t retake control and had no choice than shutting down in 2009. A
wave of legal actions began from investors who lost a lot of money.
What is more: the ex-
CTO, the internal investigations found, was
"But Mr. Justen said he did not realize that the chief technology
officer had no official identity: no driver’s license, no credit
cards, no tax returns. The chief technology officer apparently had
been living off the grid, which made tracking him down almost
impossible even with the help of the authorities". More details on
this story can be found
Youbit: filed for bankruptcy after second hack
Youbit, a small South Korean bitcoin exchange, went out of business by
suffering its second hack in 8 months, back in 2017. Cybercriminals
stole 17% of its assets. The first hack accounted for a loss of 4,000
USD 73 M in April. No technical details of the incident
are known. South Korean officials accused North Korean cyber-spies
responsible for the robbery.
There are many other cases related to bankruptcy and cybersecurity
incidents. Mt. Gox, a Japanese digital currency exchange, had a fate
similar to Youbit’s, following hacks in 2011 and 2014. "Mt. Gox lost
about 740,000 bitcoins (6% of all
bitcoin in existence at the time)". An interesting story was written by
Professor of Finance at Santa Clara University. Concerning the recent
US-China crisis, he made a case for a high-level hacking making Canadian
Nortel Networks go bankrupt by a well-known Chinese corporation. In
2010, another company, Little and King, went bankrupt after its bank
The owner’s computer was infected by the
Zeus Trojan, which stole
personal and financial information, probably by keylogging. Finally is
worth mentioning the case of Westinghouse Nuclear, which filed for
bankruptcy in 2017. The details of the story point to bad project
management, but indictments also point to Chinese hackers that stole
Concluding remarks: a massive risk for SMBs that can be better managed
We should update our beliefs about the impact cybersecurity can have.
More prominent players gain most of the attention; smaller ones remain
in the shadows, waiting to be found. The
SMBs indeed face huge risks
when their data and IT assets are not well protected and supervised.
Nevertheless, there are actions and processes
SMBs could establish to
manage those risks better. One of them is to be proactive and integral
in testing, and we mean testing by attacking. As many of the cases
reviewed here, it all began with one or more weaknesses exploited by an
we excel in proactive security testing:
We are capable of continuously hacking enterprise-level systems. We can detect small changes that could pose risks to your business. We combine automated tools with the best-trained cybersecurity professionals.
We automate almost everything we know and do. A product we used to offer, Asserts allowed us to evaluate the state of your systems quickly.
We store, describe, and track almost everything in our Attack Surface Manager (ASM). ASM makes it easier for our customers to keep track of their security weaknesses as well as fixes.
We hope you have enjoyed this post, and we look forward to hearing from you. Do get in touch with us!