ommerce depends on trust. Consumers purchase products on the Internet or in stores with the expectation that companies will protect their personal data — names, addresses, credit card numbers, purchase histories.
But it turns out that trust rests on somewhat shaky ground. A recent Ponemon Institute survey (Perceptions About Network Security, June 2011) of more than 500 IT and IT security practitioners in the United States found that 90% of their organizations had experienced at least one data security breach in the past 12 months, and nearly 60% said they had been hacked more than once during that period. Corresponding numbers for Europe from the same survey were 84% and 49%.
While not all security breaches result in the loss of personally identifiable information (PII), cybercrime’s damage can be far-reaching for both corporations and individuals:
- In April 2011, Sony Corp. announced that PII had been compromised for some 70 million users of its PlayStation Network. The company took heat from the public, politicians and privacy advocates for waiting nearly a week before warning customers that their personal data, including credit card numbers, could up costing parent company EMC $66 million in transaction monitoring and token replacement for corporate customers.
Not all breaches are this expensive, but many of them are still quite costly. The Ponemon survey found that 22% of attacks cost companies between $500,000 and $1 million in fines, liabilities and the IT costs of cleaning up, while 15% of attacks resulted in costs of $1 million to $2.5 million. In 2010, the Digital Forensics Association estimated that data breaches had cost companies a cumulative $139 billion over the previous five years.
As federal prosecutors, we work to protect the citizens of New Jersey from cybercrime, to defend the companies that do business here from cybercriminals, and to prosecute and convict anyone who uses hacking or other high-tech means to steal money or data or to cause other types of harm.
But our ability to stop this cybercrime wave and prosecute criminals is severely limited if the victimized companies don’t report the crimes. Wary of embarrassment, negative publicity and loss of customer trust, far too many companies fail to report the intrusion to us. In fact, we estimate that as many as 90% of data breaches and hack attacks go unreported.
Keeping a hack attack quiet may have short-term benefits for the corporate victim, but in the long run it only perpetuates the problem. Law enforcement authorities can use a wealth of resources to catch data thieves and bring them to justice. But we cannot act until we know about a breach.
Only by working closely with law enforcement authorities can corporations hope to gain the upper hand against hackers in the battle to protect data privacy.
IT Security is a Challenge, but Prison is a Deterrent
Given their high costs in money and in lost customer confidence, why do so many attacks still go unreported?
Many companies that are skittish about negative publicity think they can handle the problem internally. Or they’ll turn to an external forensics firm rather than call upon law enforcement.
Sadly, some companies find it easier to deny that a problem exists than to attempt to solve it. Internal investigations can be clouded by conflicts of interest. IT departments charged with investigating suspected breaches may be reluctant to admit that their data centers were inadequately protected. For example, when credit card companies flag suspicious activity and warn of potential data breaches, the victimized company may deny it after only a minimal investigation.
Even if a corporation or an outside forensics firm investigates a data breach more thoroughly, neither of them can issue warrants or subpoenas, or collaborate with domestic and international law enforcement agencies. Only we can do that.
Without the help of law enforcement, the best a corporation can hope to achieve is to control damage and tighten security to reduce the chances of another data breach. Corporations can almost never catch hackers on their own. To a hacker, IT security is just a challenge, not a deterrent. In our experience, the only lasting way to deter data thieves is to convince them that their actions will bring harsh consequences, including arrest, prosecution, conviction and imprisonment.
Don’t Make it Easy for the Hacker
While IT security alone can’t guarantee your data will be protected, it is still true that criminals seek out the easiest targets. All things being equal, a thief will be more likely to target a house where the windows are open and the jewelry is in plain view than one with a wall, barbed wire and a security system.
Corporations should implement all of the basic security steps — for example, requiring employees to create nonobvious passwords that are difficult for hackers to crack. Companies can also thwart hackers by implementing security and privacy standards such as ISO 27002, COBIT, NIST Special Publication 800-5 and/or generally accepted privacy principles. These standards are only starting points, and companies may want to go beyond them for additional protection.
Companies should also preempt attacks by disgruntled employees. One strategy is to separate powers within the IT department. This is standard practice in other organizational structures, but in IT some administrators still have access to all of a company’s data.
Organizations should be extra vigilant to guard against hacking at times of personnel changeover and disruption. Salary adjustments, hires, promotions, terminations and impending layoffs can trigger malevolent action against a company’s databases. Companies should implement policies that cut off systems access immediately upon termination. The day after the layoff is too late. And it is always a smart idea to keep database access logs for a long time so that law enforcement can quickly trace subsequent data breaches back to the point of origin.
Companies that receive warning of a suspected data breach from a credit card company must take that warning seriously and investigate it thoroughly. Several times, credit card companies have narrowed the source of a breach to a single company and issued a specific warning, only to have that company deny culpability. Expecting an IT department to investigate itself and unearth its own weaknesses goes against human nature. That’s why it often makes sense to bring in an unbiased third-party team to conduct a comprehensive investigation.
If a data breach has occurred, developing an ad hoc response plan while simultaneously trying to practice damage control seldom yields the best results. Develop that response plan before you need it. It should designate experts who will provide help and legal advice; a plan to preserve evidence; ways to inform the appropriate authorities; and a team for handling the crisis.
Treat Hacking as a Crime — Because It Is
Corporations routinely report other types of crimes. If a pharmaceutical company discovers counterfeit products in its New Jersey supply chain, it contacts the local U.S. Attorney’s office, the port authorities, and other relevant investigators and law enforcement personnel. The victim cooperates with law enforcement agencies to locate and prosecute the counterfeiter. The company is grateful for law enforcement’s help, and the authorities are grateful that the corporations have brought lawbreaking activity to their attention.
The same is true of shoplifting. For years, shoplifting was neither measured nor reported by retailers. Businesses hid shoplifting because they felt it gave them a black eye. By the 1960s and ’70s, shoplifting had become an epidemic with a serious impact on retailers’ bottom lines, and attitudes changed. They installed new technology, trained security staff, and started to measure and report shoplifting. Retailers posted warnings stating “Shoplifters will be prosecuted.” While technology and training were important, the most dramatic improvements came when retailers teamed up with law enforcement to arrest and prosecute shoplifters. This deterred them — and others like them — from repeating their crimes.
Corporate victims today can learn from the shoplifting example. Virtual “Cybercriminals will be prosecuted” signs should be posted across the cloud. As with counterfeiting and shoplifting, companies should harden their defenses and join with law enforcement to catch cybercriminals. Along with having more resources and powers than businesses do, police and prosecutors may already be investigating other data breaches involving some of the same individuals or organizations. We have learned that serious data breaches typically involve a core network of participants, each with a specialized role in acquiring, selling or monetizing stolen PII. Our insights into crime trends across jurisdictions put us in the best position to connect the dots and find relationships among hacking attacks at different companies.
For example, in 2003, Lowe’s suffered a data breach. A hacker named Brian Salcedo gained access to a corporate data center via a Wi-Fi hotspot outside a store in Southfield, Michigan. Salcedo planted software to scrape credit card data so that he could access it later. When Lowe’s IT department discovered that its data center had been breached, the company faced a difficult choice: Plug the data breach or keep it open long enough for law enforcement to assume an active role. Rather than trying to handle the situation on its own, Lowe’s contacted law enforcement. The FBI quickly isolated the source of the data breach and caught Salcedo in the act of hacking. He was arrested, prosecuted and sentenced to nine years in prison.
Medco Health Solutions is another success story. In 2003, Yung-Hsun Lin (a.k.a. Andy Lin), a Unix administrator who was upset by the possibility of impending layoffs, created a ticking “logic bomb” within some server code. Programmed to go off on Lin’s birthday in 2004, the bomb malfunctioned due to a programming error. Lin attempted to correct the error and reset the bomb, but a Medco computer systems administrator discovered and disabled the bomb a few months before its new trigger date. Rather than just trying to fix the problem itself, Medco referred the matter to law enforcement. Our office prosecuted Lin, who pleaded guilty. He was sentenced to 30 months in federal prison and ordered to pay $81,200 in restitution. The conviction, which was widely reported, sent a strong message to disgruntled employees that cybercrime carries real risks and penalties.
Misconceptions Keep Hackers in Business
Many corporations don’t realize how seriously law enforcement treats hacking crimes, or they might think the costs of asking us for help after a data breach or data theft are too high. They also underestimate our ability to stop the crimes or catch the criminals. Given these misconceptions, it is not surprising that many companies believe they can depend only on their own IT staff for protection from hackers.
In reality, cybercrime is a huge priority for our office and the Department of Justice across the country. Investigators and prosecutors alike recognize that a criminal with a laptop may be able to steal more than a household burglar, a bank robber or even a sophisticated fraudster can. Today we dedicate substantial resources to investigating and prosecuting cybercrime. And even though IT departments can strengthen a company’s technological defenses, they can’t shut down networks and put hackers behind bars.
Even some companies that recognize this still prefer to handle the situation quietly and internally because they fear “going public” will hurt their stock price or their reputation. Some corporate attorneys talk C-suite executives out of reporting a crime because of the potential liabilities rising from the admission that PII may have been stolen. Companies also may worry that a law enforcement investigation will victimize them
all over again by confiscating their servers, thus making life even more difficult following the traumatic attack.
These fears were understandable in the past. Stock prices often do suffer for a short period after a data breach is revealed, although they usually rebound just as quickly. But with data breaches becoming more prevalent, they have become less newsworthy, and their effect on stock prices is often negligible. And corporate attorneys should consider that a short-term hit is a small price for protecting against SEC action or shareholder lawsuits if the data breach is exposed at a later date.
While heavy-handed law enforcement investigation techniques might have caused companies trouble in the past, nowadays we take care to avoid disrupting a company’s ongoing operations during an investigation. Corporations are our allies in the fight against cybercrime, and we want to strengthen that alliance by making it easier for them to work with us.
Help Take a Byte Out of Crime
Cybercrime, hacking, data theft, data breaches — all are ubiquitous and underreported. As a result, criminals feel that they can act with little serious risk of prosecution or imprisonment. If one firm neglects to report a hack attack, it makes all of us less secure.
Law enforcement and corporations have the same goal: to catch and prosecute criminals, thereby deterring future crime by showing would-be hackers the harsh potential consequences of their actions. Along with private forensics firms, we all have important roles to play in the fight against cybercrime. Only by working hand in hand can we start to turn the tide.