Hacking as a Business Model
This week’s news that three men had been charged in the largest ever data breach of a financial institution has changed the conversation about data breaches for good. No longer are bad actors hacking financial institutions for immediate gain but, as U.S. Attorney Preet Bharara detailed at a press conference earlier this week, this trio of bad actors have led us into “a brave new world of hacking for profit…in short…hacking as a business model.” And, it would seem from evidence collected that the next stage in their “sprawling criminal enterprise” was to leverage the information and identities accessed to engage in large scale securities fraud.
Over 8 years – from 2007 to 2015 — the cyber criminals compromised nine major US financial institutions to obtain personally identifiable information (PII) in order to carry out fraudulent stock sales. From JP Morgan Chase, alone, the hackers stole 83 million records. Using the illicitly obtained PII, the trio “bought penny stocks and drove up their prices. They then sent spam emails to the customers whose data was stolen, encouraging them to buy those stocks. When the prices went up, the suspects cashed out leaving investors with significant losses.”
For both the financial institutions whose systems were hacked and for the individuals whose PII was stolen, this is a devastating attack. While the immediate effects are bad enough the ultimate costs are going to be many times larger than the initial tally of financial losses.
For other organizations – and even for individuals – this story needs to move from that of a cautionary tale to a teachable moment. Anywhere that big money is involved, regardless of industry, cyber criminals are working hard to exploit bad cyber security hygiene – everything from an uneducated workforce, to weak passwords, to poorly configured network sensors – in order to gain access to information systems that contain PII and proprietary business information. These attacks are happening all the time and the ones that are successful will continue, as this one did for years, if the tendency to gravitate to the lowest common denominator in security practices is allowed to continue. And, finally, the costs and consequences of these hacking enterprises are long-lasting and will add up to trillions of dollars when all is said and done.
What must happen? We all need to step up our game when it comes to the security of our “personal” information online. This starts with your credentials, how you access and define authority in your online accounts that you use personally and professionally. Not only are we individually responsible for choosing strong passwords, or using solutions that help us achieve that, but we must demand more from the institutions to whom we entrust not only our money, but every organization with whom we share even our name and email address, let alone our social security number. In return, businesses must start addressing their security hygiene to ensure that they have state of the art defenses in place and, given that breaches are almost inevitable, that they have the abilities to limit the scope of a breach once an attacker gets in.
Information security, data security, online security, however you want to describe it, is one of the most important national and global security issues of our time. The moment that we let hacking and other malicious cyber activities take root as the equivalent of a legitimate business operation we’re in significant trouble. But we still have the opportunity to fix our flawed approach to data security. So let’s get to it!