Cybersecurity: Data Breaches and Its Economic Impacts

Cyber attacks are evolving to become the world’s sophisticated adversary. Cyber attacks and data breaches have imposed externalities leading to rational underinvestment in cybersecurity by private sectors. These attacks causing data breaches in Microsoft, the U.S government continues to pose a threat not just to firms, but even the economy.

Microsoft Customer Support Breach

In January 2020, Microsoft experienced a security breach. This breach exposed nearly 250 million Customer Service and Support (CSS) records on the Web.

The records contained logs of conversations between Microsoft support agents and customers worldwide, spanning between 2005 to December 2019. All of these data are left accessible to anyone with just data and the Internet all with no password nor any form of authentication.

The scary part was how Microsoft had no idea until the Comparitech security team led by Bob Diachenko uncovered five Elasticsearch servers, each with identical sets of 250 million records.

This event would confirm the statement by John T. Chambers, “there are only two kinds of companies; the one that is hacked and the one that doesn’t know that it has been hacked.”

What Data was Exposed?

The records exposed mainly were personally identifiable information like contact numbers, email addresses, and payment information. Other records were in plain text data such as:

● Customer email addresses

● I.P. addresses

● Locations

● Descriptions of CSS claims and cases

● Microsoft support agent emails

● Case numbers, resolutions, and remarks

Dangers/Economic Consequences

Though Microsoft redacted the records as quickly as possible, we can not disregard the fact that tech support scams may have dominated this information. With those detailed logs and information available to the public, scammers may have obtained these data and phished for sensitive information from user devices, which places users in harm’s way.

United States Federal Government Data Breach

In 2020, a major cyber attack by a group backed by the Russian government exposed thousands of organizations, including multiple arms of the United States federal government, leading to several other data breaches. This particular cyber-attack is one of the worst the U.S has ever experienced due to the high profile of the individuals and the duration the hackers had access to the data before the discovery by the U.S government.

During this time, at least 200 organizations worldwide reported being affected by the attack, some of which are NATO, the U.K. government, Microsoft, and others.

In December 2020, the U.S officials investigated what was stolen, when the breaches occurred, and determined how those data were used. Comments revealed that information stolen in the attack could increase the perpetrator’s influence and could even influence attacks on the CIA and NSA or be used as blackmail to recruit spies. Cyberconflict professor Thomas Rid also added that the stolen data could have myriad use.

The Cost of Malicious Cyber Activities on the U.S. Economy

1. As of 2016, malicious cyber activities cost the U.S. economy between $57 billion and $109 billion. This is 2021; these figures might have tripled.
2. Any malicious cyber activities directed at private and public entities show denial of service attacks, data and property destruction, theft of intellectual property, and other sensitive information.
3. Firms usually share common cyber vulnerabilities, causing one cyber attack to birth multiple cyber impediments across firms.
4. Firms share a familiar cyber environment. Hence, lax cybersecurity imposes negative externalities on other economic entities and even private citizens.
5. Cyber attacks against critical infrastructure in the country could be highly damaging to the U.S economy.

Cybersecurity Priority in Board Rooms

Not too long ago, sophisticated executives would make long and thoughtful discussions on technology strategy and not a single security concern. The contrary is what we see today as organizations now have substantial assets and value manifested in digital form, deeply connected to technology networks, with cyber attackers consistently honing their attack forms. This warrants that senior executives must acknowledge the extent of this threat to their business. In the last five years, high organizations have experienced more cyberattacks even with governmental information.

Data breaches from cyberattacks in more ways than one have wreaked havoc on major industries and prominent companies like Target, Microsoft, Home Depot, LinkedIn, and eBay. Many of these attacks place individuals’ identification numbers and payment methods in jeopardy.

The damages these breaches cause are unfathomable until you see the alarming number of losses suffered by these organizations. The Ponemon Institute discovered that an average individual data loss costs a company approximately $154. JPMorgan Chase recently suffered a breach of 83 million users, multiply this with $154 and you have a staggering 12.78 billion dollars.

These high-profile leaks have pushed cybersecurity to the forefront of board members and a top number on the priority list of board rooms discussion. PWC’s recent Corporate Directors Survey confirms that board members are engaging in I.T. strategy to combat cybersecurity risks. The study states that “83% of directors describe themselves as at least “moderately” engaged with overseeing the risk of cyberattacks.”

Regardless of the varying reaction of board members to this information about cyberattacks, it is still increasingly clear that they must act directly to avoid personal risk. International Association of Privacy Professionals argues that board members are sleeping on the wheel regarding their reaction to cyber threats. An argument that could be regarded as accurate, having seen how the U.S government and other affected bodies reacted to the malware that came upon them — it took them three months to discover a breach had happened, long after the damage has been done.

Dana Post of IAPP writes, “Target, for example, is facing a shareholder derivative lawsuit alleging Target’s board members breached their responsibilities to the company by failing to maintain proper internal controls over data security and misleading affected consumers about the scope of the breach after it occurred.”

This undoubtedly demonstrates how much harm cyber-attacks are to corporate leaders and the economy and how much corporate bodies must solidify their security measures to ensure proactiveness with cybersecurity.