The recent hack of US extramarital dating site Ashley Madison, and subsequent posting of 37 million members’ personal data online, prompted Avid Life Media, the Toronto-based firm that owns the site, to release a statement saying, ‘The current business world has proven to be one in which no company’s online assets are safe from cyber vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.’
It’s certainly true that these kinds of mass data breaches are appearing more and more in the media. From the breach of US healthcare firm Anthem at the beginning of the year exposing up to 80 million customer records to the leak of client data from wealth management giant Morgan Stanley, we seem to be undergoing an enterprise data breach epidemic.
So why are large-scale hacks and the release of stolen data online becoming so frequent? Some, such as Jack Bedell-Pearce, managing director of colocation and connectivity firm 4D, would argue that they’re not:
‘The issue is that the reporting of them has become more public, and the scale and nature of these hacks is just more scandalous than other security breaches. What has changed in recent years, though, is that criminal organisations are using a more targeted approach.’
The impact that such a targeted breach can have might be devastating, depending on the nature of the breach, how much data was lost and the motivation of the person doing the attack.
The motivation isn’t always monetary – some, such as the Ashley Madison attack, are carried out to teach a moral lesson or make a point. Gary Newe, technical director at F5 Networks, argues that we’re now entering a new, darker phase of cyber attacks, of which the Ashley Madison hack has been the most high-profile example.
Rather than simply attempting to cause disruption and embarrassment, or to generate a bit of self-publicity, these criminals were hacking for ransom and ethical reasons. The perpetrators, the ‘Impact Team’, have claimed that the attack was an almost moral crusade against the firm behind Ashley Madison.
‘According to the hackers, Avid Life Media made $1.7 million in revenue in 2014 from the full delete service, which allows users to remove site use history and personally identifiable information for a one-off cost of $19,’ says Newe. ‘But as we learned after the hack, this was not the case, with many users’ personal details being revealed them paying to have them removed years ago.’
Motivation, motivation, motivation
Many – if not most – cyber attacks are financially motivated, based around getting access to company secrets in order to gain a competitive advantage, or even blackmail individuals, or stealing credit card details. However, in other instances it may be more politically motivated – for example, espionage or hacktivism.
Take, for example, the hacktivist collective Anonymous, which has targeted government agencies in the U.S., Israel, Tunisia and Uganda, child pornography sites, the Westboro Baptist Church, PayPal, MasterCard, Visa and Sony, among many others.
The rise of organised groups such as Anonymous has signalled a growth in hacktivism over the past few years. With Ashley Madison and Sony in particular, the target is the company’s very reputation, and the goal in Ashley Madison’s case is to actually end the business.
‘These types of advanced persistent threats are highly targeted, with a very specific goal or outcome in mind,’ says David Flower, EMEA managing director at Bit9 + Carbon Black. ‘This makes it even more difficult to defend against. Hackers are well funded and equipped with the latest sophisticated technology, which makes them formidable foes. If they want to get into your systems, then the chances are that with time and tenacity they will do just that.’
These attacks are publicity driven; they want to expose wrongdoing or cause disruption to organisations, and they want to get noticed. This is why, says Flower, motivation plays such a big part in how to respond to a threat.
‘Unlike hacktivists, those involved in financially motivated attacks, or attacks linked to espionage, will try to fly under the radar and avoid detection,’ he says. ‘Yet hackers who seek to publicly embarrass or ruin an organisation, or draw attention to its wrongdoings, will be more likely to make information public.’
However, it is always worth considering whether or not the public attack is just a smokescreen designed to distract from a bigger heist, which is why companies should consider having always-on, continuous monitoring of each and every endpoint device to ensure that more hackers aren’t sneaking in the back door while they’re busy putting out fires in the front garden.
Raising the stakes
As consumers become more digitally savvy, more and more personal information is being stored and hosted online – credit card transactions, medical records, travel information and many other pieces of personal data are now digitally accessible.
This, in turn, opens up opportunities for hackers to benefit from stealing the data.
‘Having access to sensitive information can be a huge bargaining chip for a hacker, as a company’s reputation can be on the line if that information is publicly disseminated,’ says Paul Briault, digital security, identity and API managementdirector at CA Technologies.
And the stakes are higher than ever for companies. In terms of sanctions for data breaches, there has been a recent push for more aggressive fine levels and enforcement in the EU as a result of too many companies taking a half-hearted approach to compliance – a view expressed by the enforcers across Europe.
Expected over the coming months is a new, unified data law for the EU – the General Data Protection Regulation – which will replace the existing Data Protection Directive and usher in sweeping changes, with proposals to beef up and alter the current regime.
A key part of the regulation is larger fines – up 5% of global turnover or €100 million, for serious data protection breaches have been proposed.
‘Civil action against organisations where breaches occur is also a realistic prospect, and particularly worthy of note is the increasing trend in EU countries such as the UK to permit privacy claims via the courts, even where no financial loss has occurred,’ warns Rafi Azim-Khan, head of data privacy for Europe at international law firm Pillsbury Winthrop Shaw Pittman.
‘This significantly broadens the circumstances in which data protection litigation can be brought and damages awarded. ‘The fallout from the breach may haunt an organisation for years to come – for example, stolen data could be continually dripped into the marketplace as a constant reminder of the breach, which would completely undermine that victim’s credibility.’
The result, for the corporate world, is that the issue of cyber security is being pushed higher and higher up board agendas to the extent that it cannot be ignored. It requires organisations to set aside budgets to take expert external advice and implement sophisticated compliance programmes.
Unfortunately, many companies don’t think about implementing the right policies and technology that will help support the enforcement of those policies until it is too late. ‘An 'it won’t happen to me' approach is still very prevalent,’ says Briault. ‘However, it is often shortsighted. Damage caused by a security breach can be much more costly than investment into appropriate security measures ahead of the time.’
Although the reporting of attacks on high-profile organisations like Sony and Ashley Madison have become more common, the vast majority remain mostly unheard of, with only the successful breaches reaching the news – arguably lulling organisations into a false sense of security. It’s clear that enterprises cannot afford to dismiss the possibility of a major data breach.
But despite the billions of dollars spent each year on anti-phishing, anti-malware, antispam and other security solutions, Ashley Madison has shown that threats can still find their way into the largest companies despite the best efforts of security teams to stop them.
‘There is no silver bullet when it comes to security, and nothing is 100% fail-proof,’ says Flower. ‘This is why companies need to have multiple layers of security. One of the biggest flaws in security policy is that there is too much emphasis placed on prevention alone, when detection and response are equally – if not more – important.’
In the event that the worst should happen, a well-developed reaction plan should ensure containment of the breach and recover lost data while assessing the damage.
UK privacy watchdog the ICO encourages companies to come forward to report the breach as soon as possible. But in this crucial period, companies should be careful about rushing to self-report.
While transparency is important, there is, more often than not, considerable merit in not jumping the gun in terms of notifications to regulators and customers until the key facts have been established and the extent of the issue is clear.
This may no longer be an option to organisations once the new EU-wide data protection regulation has been fully introduced, however. Any company’s breach notification policy will therefore need to be prepared or updated with this in mind.