Accessing point-of-sale data on hundreds of thousands of Target stores, hackers lifted the credit card information from 40 million customer accounts on Black Friday, 2013. Elementary malware bounced the seized numbers to a rented server in Russia. Target’s $1.6 million worth of Pentagon-level security proved insufficient defense.
In October, 2014, Sony Pictures was hacked, and intruders stole everything that wasn’t nailed down—production notes on The Amazing Spider-Man 2, personal employee data, and heated email exchanges between studio executives. It’s all indexed on Wikileaks now.
Most recent of all, 1.1 million personal electronic health records, valued at $60-70 apiece, were stolen in a cyber attack on Washington D.C.-area CareFirst BlueCross BlueShield servers. The data was reported stolen on May 14, 2015.
Trouble is, evidence shows the actual theft occurred in June, 2014.
Hackers have smelled the blood in the water. Customer data was snatched up. Millions were stolen. Public trust was weakened. The revelation that there was almost zero accountability or regulatory reformation afterward is perhaps the most upsetting of all.
Why do gigantic companies like Target, Sony, and BlueCross BlueShield get hacked?
The hackers responsible in each theft share the same motivations as any other criminal.
-
Financial benefit
-
Because it’s there (suffering that delusional, opportunistic Robin Hood-complex)
Even with their security software in place, Target was hacked on the busiest American shopping day of the year. The malware used to steal the data was reportedly a rudimentary deployment. Well worth any potential risk. To not attempt it would be leaving money on the table.
More on that in a moment.
First though, how did this become the accepted status quo? Shouldn’t personal records and customer trust carry paramount importance? In decades past, cyber attacks were hardly malicious.
“The root cause historically was around negligence, incompetence—not necessarily around criminal activity,” explained Dr. Larry Ponemon, founder of the Ponemon Institute, studying healthcare sector security. “It changed this year for the first time. The number one root cause of a data breach is criminal activity—could be insider or external.”
Ponemon reported security incidents cost the healthcare industry $6 billion per year. Attacks on healthcare records are up 125% since 2010.
So, the “why” of these hacks becomes obvious. We are in an era of data-hoarders. Stolen personal information is a viable global business. Business is booming.
Again, money’s on the table.
Hackers don’t necessarily want your phone number, or even your social security number—they want your delicious medical records, and the birthdate and email therein, key ingredients in modern identity theft. Hence the $70 street-value for each BCBS record. These are commodities with high trade value to hackers.
In startling contrast, Sony’s hack does not appear to be profit-motivated. More just pettiness.
The FBI’s initial evidence on Sony's hack suggested North Korean attackers were retaliating to The Interview, a movie Sony Pictures was producing. It’s more likely the DPRK was propped up as a scapegoat. A now-reformed former member of the hacker group ‘Anonymous,’ which attacked Sony’s PlayStation Network in 2011, pointed out how simple it would be to fabricate the evidence the FBI unearthed.
To be blunt, there isn’t enough bandwidth in the whole of North Korea to transfer that much data from the Sony hack.
Since it’s physically impossible for it to be a political play, and no money was taken, it’s likely this is part of the hacker community’s unceasing siege against Sony. Their strife dates back to the early 2000s. Sony previously tried to sneak spyware onto music CDs in 2005, ironically weakening operating systems to malware threats.
The Sony hackers flagged their 2014 work with a hashtag #GOP, or, “Guardians of Peace.”
The Internet’s self-appointed Robin Hoods have long memories.
Easy payback. Opportunity, seized.
How do these large data breaches occur?
BlueCross BlueShield is a decentralized entity with innumerable local branches and no consistency in its security practices. The weaknesses in the ancient dragon’s armor were gaping.
To wit: you may have confused CareFirst’s crisis with another attack on the Georgia-region healthcare insurer, Anthem. Its branches have BlueSomething in their names, too. 80 million records were stolen from Anthem in February, 2015. The healthcare industry has no security standardization. None of its data is encrypted, making it a soft target.
The “how?” for Sony is sadder. According to The Verge, hackers gain access with help from insiders willing to unlock some doors. Physical doors. Malware: installed.
Consider that: cooperative employees assisted the Sony hack.
The most teachable moment comes from Target though. Mentioned earlier, they deployed a $1.6 million FireEye security system just six months prior.
Does that number look inadequate to you?
Per Bloomberg, that really is $1.6 million. With an “M.” Target, a company with $44.5 billion dollars in assets, and number 36 on Fortune, spent $1.6 million on its data security.
(FireEye also consulted with the FBI on the Sony breach.)
The story’s flavor twists further: days prior to the attack, FireEye’s CIA-caliber team working 24/7 in Bangalore was looking for intrusions.
And they spotted it!
Upon reporting it to the corporate security team in Minneapolis, Target did—nothing.
The feature to automatically zap such rote malware had reportedly been disabled.
Why? Uncertain, but the hack’s bottom-line price might be of interest.
Inaction cost Target nearly $150 million. John Kindervag, VP and Principal Analyst at Forrester Research, and a former colleague of mine, was quoted in the New York Times, saying, “I don’t see how they’re getting out of this for under a billion, over time. $150 million in a quarter seems almost like a bargain.”
To summon the Ponemon Institute’s earlier words, we should be beyond negligence and human error in data security. And yet, here we are.
Okay, So How To Write About What's Next?
In the aftermath, the facts are these:
-
Sony and Target’s stock prices merely fluttered amidst their respective hacks. Sony’s even rose in February of 2015.
-
Sony’s hack not only aired its dirty laundry and corporate emails, the dollar figure in damages stands at $100 million (their 2011 hack cost $170 million).
-
In all cases, the only safety measures to protect the customers were recommendations to change their logins and passwords.
-
The extent of the CareFirst hack is immeasurable. Spear phishing emails will likely be going out to the 1 million-plus whose data was stolen for the foreseeable future.
-
No security reformation policies have been proposed in any of these cases.
-
The last point before we close: top executives, Gregg Steinhafel at Target, and Amy Pascal at Sony, stepped down from their roles in the wake of these events.
Forbes reports Steinhafel earned a $61 million in severance. Pascal, more of a victim in all this, is still producing Spider-Man movies, now with Marvel. The next sequel is due in 2017.How do we address this going forward?
There are countless cautionary tales here about needless revenue loss, decayed customer trust, and even data security on an international level—it’s just so difficult to hear those lessons over the sound of wind whipping through golden parachutes.
-- @Alex Crumb
