Tag Archives: breach liability

Businesses Need To Consider The New Hacking Paradigm

While hacking credit cards for fun and profit is still a popular pastime, two additional hacking models need to be considered.

The first additional model is the Anthem Blue Cross or Office Of Personnel Management model.  In those cases, hackers are looking to amass vast amounts of data on as many people as possible.  They want the dossiers to be as deep as possible.  Whether it is 80 million as in the case of Anthem or 25 million as is the case in the OPM breach, those hackers collected vasts amounts of data.  Those dossiers will be of value for years or possibly a lifetime (your blood type or medical illness history cannot be reissued).

For a business, offering 12 months of credit monitoring will no longer calm people down.  The courts have started to agree with plaintiffs that there is potential imminent harm and credit protection will not sufficiently mitigate that harm.  In either of these cases, that likely means that settlements with plaintiffs will get more expensive, will drag out longer and will damage the business’s reputation more deeply.

The last hacking model is total nuclear destruction.  We saw this, really for the first time, with Sony.  Those hackers were out to do as much damage as possible.  Decimate servers; destroy reputations, do as much harm to the business as possible.  It cost Sony Entertainment Chairman Amy Pascal her job.

This was followed by the breach at The Hacking Team.  While some people may not have been happy about their business model, their brand is now demolished.  Selling the tools that they sell to pseudo-friendly governments is not going to make you friends.  In addition, with all of their source code for exploits that they used laid wide open and patched by vendors, they need to rebuild their tool arsenal.

Most recently, we saw Ashley Madison get hit.  The hackers said close down your business or we will destroy you.  A-M did not shut down and the hackers dumped 10 gigabytes (compressed, meaning that it was really maybe 15 or 20 gigabytes of data) on the market including user information and business documents.  When Noel Biderman, founder of A-M didn’t acknowledge that the data was real, the hackers dumped another 20 gigabytes of data including his entire email file.  The hackers say they have hundreds of gigabytes of data left to dump.

Researchers and journalists are now combing though the A-M user data.  Already they have found 15,000 .gov and .mil users and users  from the White House, Congress, the Pentagon, the Capitol Police and presidential candidate Ted Cruz’s office have all been identified.  Ex-reality TV star Josh Duggar was outed and publicly apologized.

These last two hacking models should be of much greater concern to businesses.  They are much harder and more expensive to recover from; it may require significant downtime to recover from – Sony, for example, did not have any operational financial systems for 60 days and had no email or voice communications for two weeks.  In some cases, it may require reinventing the business.  Ashley Madison was planning on a $100 million IPO this fall.  That IPO is on hold now.  Maybe for a short while;  maybe for a long time.

PNI, the division of Staples that provided photo printing services online to the likes of Costco, Walmart and CVS, and that was hacked last month, was purchased last year by Staples for $67 million.  I bet that at least some of those customers will change providers.  What do you think happened to the brand reputation of PNI?  What do market value of that division is today?

It is incumbent on the C-Suite, the Board, auditors, shareholders, bondholders, potential investors and anyone else who is affected by business valuation to consider this. Carefully.  With due diligence.

If these people do not shine a bright light on this, I know a group that will.  That is the plaintiff bar.

Just sayin’


Information for this post came from Wired, the Associated Press, Rollcall, and The Guardian.