A Halloween-inspired overview of the horrors and business losses caused by bad data security.
The consequences of poor data security for businesses can vary from small fines and penalties to going out of business altogether. The importance of secure products and infrastructures is often preached, but rarely practiced, and data security still remains the last place where attention and funding go.
Sometimes the implementation of the current security guidelines remains stranded on the bottom of the developers’ backlog until a huge data leak makes the news.
The problem with directing the attention to security matters lies in the lack of understanding what good it can bring. The lack of obvious losses is still not a “profit” for a typical business thinking.
Inspired by the Halloween vibes, we’ve compiled a list of data leaks and breaches that highlights the most catastrophic financial losses and sometimes deadly consequences that the neglected data security brought to companies. All in the hope that it will inspire some to implement better security, lest something like that happens in their companies. Boo!
Google +: Shut down by the parent company. After exposing the data of 500,000 users, Google decided not to go into the details of the incident and the less-than-popular social network was closed by the parent Alphabet corporation once and for all. The main cause for the breach was the vulnerability discovered in the Google+ API that made it possible to gain access to the data of “friends” of the app users. Sure, this social network wasn’t too popular and it would be unfair to say that it was this security incident alone, which resulted in the shutdown, but such a coincidence is ominous, to say the least. Additional losses? Another social effort by Google killed off, rendering hundreds of working hours of skilled engineers useless or used up on the complete shutdown of Google+.
“60% of small businesses fold within 6 months of a cyber attack” — Inc.com
Code Spaces: Lost money, reputation, and closed after a major hacker-induced attack.
A now-defunct SaaS provider Code Spaces closed in less than a year after the company’s data got into the malicious attackers’ hands. After gaining access to Amazon Elastic Compute Cloud control panel, the attackers erased backups, data, and machine configurations before asking for a “large fee” ransom for returning the stolen company information. Code Spaces tried to undo the damage by changing all the passwords, but the attackers have already created backup logins. There was nothing left for Code Spaces to do but to acknowledge the damage and inability to continue the operations and close.
MyBizHomepage: Going from a $100 million-valued company to nothing after a revenge attack by a fired tech executive.
MyBizHomepage used to provide a convenient tool for monitoring business metrics via QuickBooks accounting software. Several top technical executives fired from the company decided to pay back with an attack on the internal infrastructure, compromising everything and rendering the solution unusable. Over $1 million was spent in attempts to mitigate the breach, but the site was already beyond repair so the company’s board decided to close MyBizHomepage for good.
Distribute.IT.: Online services’ seller couldn’t survive a series of cyber attacks spanning through a few weeks and ultimately closed. Common sense security fail is to blame.
Despite having an experience in dealing with attacks (according to the owner of the now-defunct business, at least 2 clients of the total 30,000 that used the service had attacks attempted at them daily), the attack that sent the company downhill involved the attackers getting behind the firewall and gaining the access to the master user access information.
The company switched to 72-hour shifts trying to mitigate the damage, but the next attack that followed a week later has proven that it all has been in vain. Attackers wreaked havoc on the company’s network, escalated the attack to full destruction of the servers and backups inside the network, and locked out the IT team. Trading and VoIP systems were compromised and broken next. The trust towards the company was completely lost. It took around a year to fully recover from the consequences of the attacks. How could this happen? The hackers got in through getting a keylogger malware onto the laptop of one of the staff members.
So, carelessness and inability to withstand repeated attacks can ultimately force the companies out of business and existence. What are the less extreme consequences of security incidents — if one could call a multi-million dollar fine “less extreme”?
If the companies don’t implement strong security, don’t monitor and audit their infrastructure and code, they have to pay for it, be it in the form of distracting the employees from the tasks at hand and devoting their attention to the mitigation of a security incident or paying fines that follow the disclosure of a breach (sometimes lawsuits or class action lawsuits, too), or both.
Why is this so hard to do in practice? One could argue that it’s the case of positive versus negative security where the “negative security” is just that — security done right. But while the “positive security” remains an extremely obscure notion, the lack of the regular “negative” security is something that companies pay top dollar or their very existence for.
With the increasing number of data breaches per year (Vigilante has an online list of all the known breached databases, acknowledged and unacknowledged, if you’re curious), governments decided to take the matters in their own hands through providing new state-level security regulations. That includes GDPR in the EU and DPA in the UK, with the rest of the countries trying to come up with similar legislative acts making the compliance with these 2 a good idea to keep your products out of trouble.
We’re yet to see huge GDPR-related lawsuits work out, i.e. those issued by the Noyb data privacy-advocacy group towards Google and Facebook on the very first day of GDPR coming into force, with LinkedIn and Apple targeted next. But there are some terrifying amounts of money that have already been paid out by companies for security carelessness that made it onto our list of businesses fined for bad data security.
Hilton Hotel chain: Fined $700K for credit card info breach.
The Hilton hotel chain actually got very lucky when it was rightfully fined for mishandling credit card information in 2 separate data breaches. How come? More than 350,000 accounts were put at risk after cyber attacks that took place in 2014–15. Hilton only notified the public about the incident and breaches in late 2015. This resulted in a $700,000 fine. Had Hilton been fined according to the GDPR, the sum total of the fine would have amounted to $420 million.
Uber: Breached, attempted bribery, ended up paying a huge fine.
Uber took their time to disclose a 57 million user account breach that took place back in 2016 as they tried to bribe the “hackers” first. According to BBC, before making a statement about the data breach in November 2017, Uber tried to pay the data thieves $100,000 in a hope that the stolen data will be deleted. The affected drivers’ accounts (around 600,000) were reimbursed for their name and license details by in-app incentives while the affected customers got nothing. In the end, Uber had to pay a $148 million fine.
Facebook: Multi-billion fines under GDPR and before, feature suspension, unwanted governmental attention to the company’s executives, and a security investigation plus audit.
Facebook seems to be going through a series of data breach related scandals, with the trouble related to Cambridge Analytica (87 million accounts compromised) being one of the most prominent ones, but it got onto our list for a different reason. The new vulnerability in the “view as mode” exposed around 90 million of Facebook users, with access tokens stolen from at least 50 million users. Most likely, access control tools like logging, encryption, and monitoring could have helped to avoid such data exposure. But the vulnerability was a result of a number of unfortunate coincidences and bugs.
In a huge company like Facebook, with its fast deploy culture and a million of different things to look out for, it is hard to keep track of everything, but that’s not an excuse for businesses of smaller scale. Since the more recent Facebook breach took place with GDPR already in action, Facebook is now facing a $1.63 billion fine (in addition to the employee efforts directed at breach mitigation, suspension of the faulty mode, and carrying out a security audit). While Facebook can afford such fines, for most companies such a security accident would have meant a certain death.
Yahoo!: Around 3 billion user accounts compromised, over $35 million fine.
One of the largest data breaches in history took place (or was disclosed) gradually — at first, the 500,000 and then 1 million accounts breached in 2013–2014 made the news until it became known that 2 more billion of accounts were compromised. Yahoo! issued a statement mentioning that “all accounts that existed at the time of the August 2013 theft were likely affected”. Yahoo! ended up paying a $35 million fine imposed by the US Securities and Exchange Commission for this security incident. The UK data protection regulations also fined Yahoo! for £250,000. The reason that caused this massive data breach was forged cookies that let the attackers access the accounts without needing to use passwords. It is believed that a single source of attacks was responsible for all the breaches.
Sony PlayStation Network: Down for a month and $171 million in losses as a result of 77 million user accounts’ hack.
The Sony PS Network breach is considered to be one of the largest data breaches in the gaming industry. Out of the total 77 million hacked accounts, 12 million contained unencrypted credit card numbers and other personal info, such as emails and home addresses, names, passwords, purchase history, and PSN/Qriocity logins. Sony suffered a class action lawsuit and paid a preliminary $15 million settlement — and that was cheap, compared to the impact. Morals? Security is an ongoing effort, and even if you operate in a non-critical market, but store plenty of customers’ data — security should be the primary concern in your business.
Equifax: Easily one of the biggest and gravest data breaches ever.
The supposedly trustworthy company leaked more than 147 million accounts belonging to the USA citizens. Initially faced with a $114 million fine in the USA alone, Equifax also had to pay $660,000 in the UK as the leak violated the British data privacy regulation. Luckily for Equifax, but not for users, the leak took place before GDPR came into full effect, but the final “price tag” on the fines is still likely to increase as the investigation goes on.
The initial cause of the leak was cybercriminals infiltrating the Equifax infrastructure through the consumer credit reporting agency using an exploit on the website. This allowed the attackers to gain access to social security numbers, personal, and financial (tax, credit score) information. After such a large security incident, the users’ trust towards Equifax was lost and the company is being forced out of the business. This can happen to any company operating with users’ data. Yes, even to your company.
When things get weird
Fines are not the only aftermath that companies can suffer from as a result of bad security or carelessness. Sometimes the results are weirder and hold more potential problems and losses in the future.
Twitter: Former password breach could have been one of the largest data breaches in history. But Twitter got onto our list’s weirder section for a different reason.
The monstrous data leak expected after the discovery of a bug that logged Twitter users’ passwords in plaintext never happened. But GDPR still got its best of Twitter making it dedicate a lot of employee resources to locking out and banning the accounts of all users who were suspected to be under the age of 13.
In reality, Twitter also locked out a lot of users who’d merely registered before the age of 18 and are of legal age now. Users with confirmed current age up to 25 also had their accounts suspended. The reason for the weird actions from Twitter is the GDPR rules about handing the data of minors. GDPR provides a fine for services and websites that allow users under the age of 13 to use their platforms. So Twitter also erased the content that was suspected to be belonging to the users younger than 13 after the mass ban.
Timehop: Social network plug-in had 21 million user profiles hacked in July 2018 in a result of a cyberattack.
Access keys, emails, and names of the users have been stolen. Now Timehop is waiting for the consequences, whatever those might be as the breach clearly took place with GDPR in full force. Timehop got onto our “weird” list because of their particular current standing — the first company that will be fined with all the severity of GDPR, but without the near-limitless budget of giants like Facebook or Equifax. It is interesting how the things will (or won’t) work out for Timehop after the breach.
Heartland Payment Systems: The Heartland data breach at one point held the title of the largest data breach in history.
Private information of around 130 million credit and debit card accounts was exposed to potential fraud after the payment system was hacked in 2008–2009. Why did this breach get onto our “other” part of the list? Because it still holds a record for the longest prison sentence ever issued for a cybercrime (by the US court). The cybercriminal behind the hack was sentenced to 20 years in prison. The losses for the company added up to more than $12.6 million.
Dropbox: Leaked 68 million user passwords in 2012. Got “out of jail free”.
After a cyber attack by a “hacker” who called themselves “doubleflag” (and offered the stolen data on Dropbox credentials for 2 bitcoin, which amounted to around $1100 at the time), Dropbox chose to mostly ignore the incident. What?! The stolen passwords were protected through SHA1 hashing (although still far from an optimal choice) and half of those — by a stronger hashing through bcrypt. Luckily, the hashes were also salted with strings of random data, making it harder still for the attacker to make sense of it all and use the passwords. After the leak was discovered, Dropbox simply reset all the impacted passwords. Morals of the story? Encryption tools and proper incident response policy can save you, that’s a treat instead of a nasty trick.
Wait, so there are simpler ways to protect huge amounts of data without employing an army-grade security team?
In the era before the prevalence of electronics and the Internet, only armies and governments’ secret services took interest in data protection. Today data is collected, processed, analysed, transferred — and on each step something can happen to it, often due to our own self-righteousness and carelessness.
If the data in question is our personal data, it is bad enough. If the data in question has been entrusted to us by our clients, we need to take a greater care to handle it properly and securely. Why? For the lawsuits, fines, and other more terrifying consequences not to be looming over the business we build or are employed by. Competitors or “hackers” will be thrilled to discover you’ve left them an entryway.
If you think this was a good read, but nothing like that could ever happen at your company, you’d better reconsider. The research carried out in 2017 when over 400 tech executives were interviewed, showed that:
- 11 % of the interviewed admitted to the overall lack of preparedness for a cyber attack,
- 29% agreed that there was no clarity about the responsibilities and algorithms of work during a cyber attack (18% had a certain understanding, but a lack of agreement within the company),
- and 18% chose to keep silence about the security accidents towards the stakeholder, even in the middle of a raging crisis.
And there are also good old human errors and carelessness that bring catastrophic consequences for the companies even in the absence of an active malicious attack.
The truly safe software development is not here yet, so we still need reminders that show us the real consequences of data security. Until good software and secure software become synonymous, there will be fines and bankruptcies, and losses. So what can be done about improving the security in the name of saving a business (and in the name of common sense, we would add)? You need to be deliberate about improving the real-world security of your products and the steep and narrow path to better security is not one thing, but a number of small deliberate actions and tools.
Start with raising the overall level of security awareness among the technical and non-technical employees in your staff (and introduce proper BYOD security policies), set simple security checklists. Pay more attention to the way sensitive data is treated, i.e. use encryption tools, audit user activities, make sure that encryption keys are managed correctly. It takes some work and knowledge, sometimes it also takes some external help, but you’re never better off with shrugging off the security. Don’t fear it when you’d be better off making it your ally. After all, correctly implementing the security strategy is way less pricey than lawsuits and fines.
If you have an example of catastrophic consequences that bad data security had for business which we didn’t include, and that is particularly noteworthy, please share, we regularly create lists of security fails and would love to include your submission. Please reach out to us via email@example.com or @cossacklabs.
P.S. Last year the Halloween theme inspired an illustrated ELI-5 article about Zero-knowledge protocols.