Good cyber security is tedious and expensive. The alternative is loss of customer goodwill and potential closing of the business. On the personal side, the inconvenience of identity theft, data loss, invasion of privacy etc. exact a toll both financially and time wise. The result is an unfair burden on small businesses and individuals. It is important to recognize this is the way it is, the world we live in, and accept a personal, even if limited, role in being a good data steward and protector. To that end, this post discusses a select few of the cyber security incidents of the last couple of years in various categories.
By being aware of the targets, attacks, and defensive tools you have, you can diminish the hacker’s perceived relative gain for the time spent. For example, if a hacker determined that he/she was only making a few cents/hour for the time spent, they would find something more lucrative to do. In time, this will reduce the sheer number of hackers and attacks, and make it easier to track down and defend against the remaining bad guys.
Ransomware is the software that encrypts all the contents of a hard drive and then extorts payment, usually in bitcoins in order to get the unlock code. Some ransomware will also encrypt any attached backup drives. Ransomware can and has happened to many individuals and recently to several hospitals. This a very lucrative area for the bad actors. Some bad actors (bad guys/gals) even run ransomware help desks. To pay or not to pay, that will be the dilemma when ransomware strikes you or your company. Recently Atlanta, Georgia in the US chose not to pay. The cost of recovery was over $2 million dollars.
Medical records are worth about 10x what credit card numbers are on the black market. This is because the medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than for credit card numbers. Combine this with the relatively poor cyber security of hospitals and hackers have a very lucrative market.
Note that medical records fall under HIPAA. HIPPA is the Healthcare Information Privacy Protection Act and you probably signed a form at your doctor’s office acknowledging their collection of data about you. Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation. This is capped at $1.5 million per year for violations of each HIPAA provision.
The largest HR records breach (break in with theft/manipulation of data) in history occurred in 2015 at the US government Office of Personnel Management or OPM for short. This involved the theft of 21.5 million records along with 5.6 million fingerprint records. It is rumored that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them. Keep in mind that these records contained the contents of the SF-86 which include information about more than the applicant, and include information about their extended families and neighbors.
This was a classic case of risk versus reward. Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.
Access was obtained through a breach of a contractor, with less security, who had access. Our side failed to encrypt the records, disperse the records, keep non-current records offline, and failed to detect the intrusion for a long period of time.
Target, the major retailer, was hacked on Black Friday in 2013. Over 40 million debit card accounts were scooped up. The data was not encrypted. Groups of target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices”. Roll forward to 2015 and Target paid out $10 million to customers as a result of lawsuits. This does not include the costs to notify, legal costs, and loss of good will among existing customers and their reputation in the marketplace.
The chief of the NSA (National Security Agency), Admiral Michael Rogers, said that it was a matter of when, not if a foreign nation-state launches a cyber attack on the US critical infrastructure. This would include things like the electric grid, water, sewage, and traffic. Even dams can be hacked.
In December, 2015 Ukraine suffered an electricity blackout of 225,000 customers. It has been attributed to cyber attack via a Russian group. In March, 2016 the US Justice Department indicted seven Iranian hackers. Among their targets was a small dam, the Bowman Avenue Dam in New York. If a gate had not been disconnected for maintenance, the hackers would have been able to manipulate it, dumping water downstream.
The US Power grid has been hit with an average of one cyber or physical attack every four days between fiscal 2011 and 2014. The Pentagon estimates that a major cyber attack on the electric grid could take weeks to fix.
Is your business such that you need power from more than one utility? Perhaps it would be wise to create another company location in another section of the power grid, unlikely to be affected by a regional disruption and able to take over the business should the need arise?
To the kid at the top who is yawning, hackers are stealing children identities because, based on age, they will be valid longer. Better have your parents lock down your identity for you. And, I hate to break this to you so early, but you are on the front line of the battle over cyber security — like it or not.