Killing Me Softly with His Hack

Written by

Cybersecurity attacks can, and  have, killed companies – but now analysts think larger firms will fall. Danny Bradbury investigates whether hackers could slay a Fortune 1000 company

The end of 2016 somewhat predictably saw analysts across the land issuing their 2017 cybersecurity predictions. One prediction of Forrester’s stood out: The company believes that in 2017, a Fortune 1000 company will fail because of a cyber-attack. How likely is this to come true? Can a cyber-attack kill a large company via bankruptcy, acquisition or regulatory enforcement, as the analyst firm predicts?

Emerging Unscathed

In practice, very big companies tend to emerge relatively unscathed from these disasters. Target’s 2013 breach saw thieves steal around 40 million credit and debit card records, and around 70 million customer records. That breach cost the firm $291 million, but it only paid around $201m of that, because some of it was covered by its cyber-risk insurance. That amounts to 0.27% of its 2015 sales, which totaled $73.78 billion. The attack may have embarrassed Target, but in financial terms, it barely made a scratch.

A large proportion of Target’s costs came from lawsuits. In the future, more punitive regulatory measures could leave companies susceptible to financial fallout. In May 2018, the General Data Protection Regulation (GDPR) will come into effect across Europe. Even if the UK triggers Article 50 and begins its journey towards Brexit, the process won’t be complete by this time, meaning that UK companies will be subject to the GDPR.

Under the EU regulation, companies could lose up to 4% of their revenues in fines as the result of a negligent data breach. That might sharpen the focus on security at a board level, argued Christopher Hodson, senior director of information security at cloud security service provider ZScaler, but it still doesn’t pose an existential threat to larger firms.

“On the one hand that could be a real driver for an organization to be put out of business,” he says. “But then, the larger the organization, generally the greater its ability to absorb a short-term impact.”

How Embarrassing!

Target had some resilience built in because it’s a large company, able to absorb such shocks, admit Forrester experts, but in the future, the primary pressure point for large brands may not be financial at all. In the past, attackers have focused on stealing data that they can monetize. In the future, large firms could be laid low by intruders with other motives, argues Amy DeMartine, principal analyst at Forrester.

“We think companies are going to become more exposed to this embarrassment as attackers try to manipulate stock prices or its survival based on its geopolitical leanings,” she says.

We’ve already seen companies embarrassing themselves into rebranding. In a 1991 speech, Gerald Ratner, proprietor of the then-famous jewelry chain Ratners, called his product “total crap”, adding that his firm’s earrings were “cheaper than an M&S prawn sandwich but probably wouldn't last as long". The firm lost $500m in market value, closed over 300 stores, and changed its name less than two years later.

More recently, Sony Pictures was embarrassed by hackers who disclosed its internal emails at the end of 2014, and Verizon reportedly asked for an almost 20% discount ($1bn) on its purchase of Yahoo after the email and search firm revealed that it had lost 500m user account details.

DeMartine cites the Democratic National Committee hack and the Panama Papers – which resulted in the resignation of Iceland’s prime minister – as examples of how judiciously-applied leaks can have significant real-world implications.

Short-term Memories

In spite of these gaffes, killing off a Fortune 1000 company through sheer embarrassment would be difficult, say experts. Consumers tend to have short memories, argues Vince Warrington, director of cybersecurity consulting firm Protecting Intelligence.

“In cybersecurity we have long memories and we’ll be talking about these things for years to come.” This is not true of the general public, though, he says. “[The breach] happens and then the next news story happens, and it gets passed by. Scandals are too short nowadays.”

He has a point. Volkswagon wasn’t killed by its emissions scandal, and Samsung was scorched, but not immolated, by its exploding Galaxy Note 7.

“Look at TalkTalk,” says Ken Munro, a partner at Pen Test Partners, who spends his time working out how to break into companies. He’s referring to the communications firm that mismanaged information during its October 2015 data breach and received a $400m fine from the Information Commissioner.

“They managed their breach as badly as anyone could. They spent a bunch of cash on getting back up again,” he adds. “They had a painful blip, but they’re still there.” Indeed, the firm recently announced a $22m profit jump.

The Cost of a Breach

As founder of the Ponemon Institute, Larry Ponemon measures the financial effect of cyber-attacks on companies. He argues that the effect of a successful attack on brand trust varies between consumer and business-facing firms.

“If you have a data breach in a B2B environment where your customers are big companies, there’s a question of whether you can trust an organization for being a steward for the information that we all need to share,” he explains.

If it’s difficult to embarrass a company out of business, are there other ways to do it? There are several examples of companies that have been forced into bankruptcy or acquisition by cyber-attacks.

Code Spaces’ business rested entirely on providing digital storage and project management services for developers. It was killed after an attacker gained access to its Amazon Web Services dashboard and deleted almost everything. The company, which apparently didn’t have any off-site backups or separation of services, left itself vulnerable and paid the price.

Bitcoin exchanges are another vulnerable breed, not least because bitcoins are a digital version of cash. If the encryption keys to those files are stolen and the bitcoins sent to another address, the transfer is non-reputable; you can’t get them back. Mt Gox, the biggest bitcoin exchange at the time, eventually went out of business after the theft of 850,000 bitcoins from its coffers. Its CEO was subsequently arrested for embezzlement.

Forrester also gives DigiNotar as an example of a company laid low by cybersecurity issues. The Dutch certificate authority was found to be issuing fraudulent certificates after a compromise, resulting in a loss of confidence, bankruptcy and the handing over of its certificate services to the Dutch government.

The DigitNotar attack is significant, because its entire business model revolved around trust and cybersecurity. By successfully attacking it, intruders compromised its core mission, undermined trust and made it untenable.

The same goes for HBGary Federal, a small cybersecurity company, which was hacked by members of Anonymous and had its emails stolen. The firm was acquired by IT services firm ManTech a year later.

Former executives from HBGary, Diginotar and Code Spaces did not return our interview requests, but the companies had two things in common: their businesses were relatively small (certainly sub-Fortune 1000-sized) and their business models were narrow, relying on a relatively simple, focused source of outcome.

Their small size would have made it difficult for them to shoulder any financial damage that they incurred, while their narrow business model makes it difficult to contain the damage while drawing on other revenue streams.

For attackers intent on felling a company, choosing those that depend heavily on a key asset is easier, argues Munro: “Find whatever that special sauce is that makes them tick, and you steal it or destroy it and take them down.”

Many companies have intellectual property that would damage them if stolen. “In a software economy, the key differentiator may not be the number of locations you have or your supply chain or your overall brand,” says Jeff Pollard, DeMartine’s colleague and a principal analyst at Forrester. “It might be how your software works, how your internal IP makes the lights turn on. That’s something that, in a software economy, is very easy to take away.”

Another technique could be to target a business based on its cadence, attacking it at a key moment that’s crucial to its business cycle, argues Munro.

“If you wanted to cause a lot of trouble, you’d do some banking fraud on payday,” he suggests. “I’ve seen that cause some real trouble in businesses, when they have uninsured first-party losses there.”

Even then, a Fortune 1000 company would have enough money in its coffers to cover such blips, and could recover before it ran out of cash, he admits.

Targeting the Physical

What about hitting a company’s physical production, suggests Warrington? “If you could affect some control software, which meant that oil well equipment was damaged, then how long would it take to replace that piece of equipment?”

We’ve seen physical attacks cripple certain infrastructures in the past. For example, Stuxnet disrupted – but by no means stopped – the refining of materials at Iran’s Natanz nuclear plant. In the Ukraine, disruptions to the electrical grid – blamed by Ukrainian authorities on a cyber-attack by Russia – caused outages for around 225,000 customers. Could a sustained attack on a small utility in the west bring it to its knees and send it to the bankruptcy courts?

There have certainly been fiction fantasies about SCADA-based attacks that take out physical infrastructure. In the TV series Mr Robot, hackers cripple mega-company ECorp by infiltrating its data centers and fiddling with the HVAC systems to fry its servers.

ZScaler’s Hodson is skeptical. “The distributed architecture of on-prem and cloud-based backup strategy would, I hope, preclude such an attack on availability of data”, he says.

Cyber-attacks can and have felled companies. The jury is out on whether Forester’s 2017 prediction will come true, but in the meantime, at least one company that we all felt sure would fail is back, defying all logic: Ashley Madison, the extramarital affairs site that lost its entire customer database in 2015.

Canadian and Australian privacy commissioners had found that the site made up its own security certification, while those analyzing its customer database discovered that most of its female accounts were fake. That’s as embarrassing as it gets. Nevertheless, its parent company is under new ownership, and the site is running ad campaigns and signing new customers.

What’s hot on Infosecurity Magazine?