By Julian Arango | January 13, 2020
How often do we hear a company went bankrupt because of a hack? You’ve probably never heard about such a thing. What we usually see in newspapers is millions of dollars in losses, big corporations involved, public outrage, among others. The case of Target in 2013, for example, comes quickly to mind. However, similar corporations are still on the market despite those incidents.
We have heard something like this:
a company has never gone bankrupt product of a data breach or a hack.
Some of us at
Fluid Attacks were a bit skeptical about that ‘fact.’
We looked for contradictory evidence;
confirmation bias is a thing.
Here is what we found.
First, we will take a look at the famous incidents to create perspective.
Target, the giant retailer,
suffered one of the most significant cybersecurity incidents
in the past decade.
Back in 2013, a cybercrime group stole credit card data
from around 110 million users from Target’s databases,
by implanting malware after exploiting some
In 2017, Target settled for USD 18.5 M.
A more recent incident is Equifax’s. The hack was performed between May and July of 2017 and affected more than 143 million people. The data included: full names, Social Security numbers, birth dates, addresses, and driver license numbers. It is striking the apparent permissiveness of judicial systems to make the corporation accountable for the incident, given this hasn’t been their first. A history from Bloomberg is worth reading. The settlement, in this case, was reached at USD 700 M.
A final example is what recently happened to Capital One bank.
Around 100 million users’ data,
specifically, credit card application data, were stolen.
A suspect has been arrested and accused of stealing the information
due to exploiting a misconfigured firewall.
Some news outlets say
the company estimates the incident will cost them between
USD 100 M to 150 M.
Other corporations like Marriott International, Adobe, Uber, Experian, Yahoo!, and Sony have had significant cybersecurity incidents well covered by the press. Which of them is out of business?
Some critical aspects of the previous section are
the size of the costs,
the impact of the incidents, and
the vulnerabilities present,
leading to risk materialization.
How many companies could settle for
USD 18.5 M? Just a few.
There is no doubt that the majority of firms
are not in a position to face a similar event.
Smaller firms (mostly in headcount) could now cause tremendous harm
by allowing data breaches
(as an example, think about a company with less than 50 employees,
with revenue exceeding
USD 3 M,
and managing tons of user healthcare data).
Those same IT weaknesses are probably present (even more prevalent)
in smaller companies.
Here are a few stories about firms that went bankrupt due to a data breach, or at least where cybersecurity played a non-negligible role in going out of business.
MyBizHomepage was founded in 2006.
Its valuation at that moment was around
USD 100 M.
After the service was launched (2008),
the principal co-founder fired the firm’s
after knowing the guy was creating direct competition
for the firm with two more people. The reason?
The company declined a proposal to be sold for nearly its valuation;
CTO didn’t like the decision.
CTO had implanted some backdoors
to remote-control the IT infrastructure,
including backups, and started crashing MyBizHomepage, making it unusable.
The company couldn’t retake control
and had no choice than shutting down in 2009.
A wave of legal actions began from investors who lost a lot of money.
What is more: the ex-
the internal investigations found, was untraceable.
"But Mr. Justen said he did not realize
that the chief technology officer had no official identity:
no driver’s license, no credit cards, no tax returns.
The chief technology officer apparently had been living off the grid,
which made tracking him down almost impossible
even with the help of the authorities".
More details on this story can be found here.
Youbit, a small South Korean bitcoin exchange,
went out of business by suffering its second hack in 8 months, back in 2017.
Cybercriminals stole 17% of its assets.
The first hack accounted for a loss of 4,000 bitcoins worth
USD 73 M in April.
No technical details of the incident are known.
South Korean officials accused North Korean cyber-spies
responsible for the robbery.
There are many other cases related to bankruptcy and cybersecurity incidents.
Mt. Gox, a Japanese digital currency exchange, had a fate similar to Youbit’s,
following hacks in 2011 and 2014.
"Mt. Gox lost about 740,000 bitcoins
(6% of all bitcoin in existence at the time)".
An interesting story was written by Hersh Shefrin,
Professor of Finance at Santa Clara University.
Concerning the recent US-China crisis,
he made a case for a high-level hacking
making Canadian Nortel Networks go bankrupt
by a well-known Chinese corporation.
In 2010, another company,
Little and King, went bankrupt after its bank account was emptied.
The owner’s computer was infected by the
which stole personal and financial information, probably by keylogging.
Finally is worth mentioning the case of Westinghouse Nuclear,
which filed for bankruptcy in 2017.
The details of the story point to bad project management,
but indictments also point to Chinese hackers that stole intellectual property.
We should update our beliefs about the impact cybersecurity can have.
More prominent players gain most of the attention;
smaller ones remain in the shadows, waiting to be found.
SMBs indeed face huge risks
when their data and IT assets are not well protected and supervised.
Nevertheless, there are actions and processes
SMBs could establish to manage those risks better.
One of them is to be proactive and integral in testing,
and we mean testing by attacking.
As many of the cases reviewed here,
it all began with one or more weaknesses exploited by an attacker.
Fluid Attacks, we excel in proactive security testing:
We are capable of continuously hacking enterprise-level systems. We can detect small changes that could pose risks to your business. We combine automated tools with the best-trained cybersecurity professionals.
We automate almost everything we know and do. Our product Asserts allow us to evaluate the state of your systems quickly.
We store, describe, and track almost everything in our Attack Surface Manager (ASM). ASM makes it easier for our customers to keep track of their security weaknesses as well as fixes.
We hope you have enjoyed this post, and we look forward to hearing from you. Do get in touch with us!
Corporate member of The OWASP Foundation