We hear it every week; more and more institutions are getting hacked causing massive data breaches of their customers. Figures in the millions of profiles being hacked have turned so common that we are numb to its news. Almost every week we would hear a new company falling victim to yet another cyber-attack. We may raise concerns in the fleeting moment when the stories are still hot cakes, but what happens once the initial commotion has died down?
Let’s look at cases of famous company data breaches…
Source: BGR Media
Many have referred to the cybersecurity attack on J.P. Morgan Chase & Co as the largest theft of customer data from a financial institution in US history, with over 100 million customers, 76 million households and seven million small businesses affected. The attackers stole mainly customers’ contact information which included names, email addresses, addresses and phone numbers. Fortunately, the hackers were unable to gather customers’ information accounts, which consists of account numbers, social security numbers, passwords or date of birth and most importantly customers’ money in their accounts remained safe. Even though the hackers were unable to gain detailed accounts information, it is still possible for the hackers to use the stolen email addresses and other breached to their advantage.
Hackers do not only target to steal detailed account information, but even confidential documents are also stolen and exposed, such as during a cyberattack which happened during the Sony Pictures hack. The hack normally happens through usage of malware or phishing emails seemingly from the company’s employees to dupe users to get a foothold into the company network. Once the hackers managed to pose as a legitimate user, they will attempt to move around the network and slowly steal information from under the company’s nose.
Another high profile hack was the Ashley Madison Agency hack, whereby records of people who had used the online dating service website were released online, which included customers who paid the fee to have their data deleted. The victims of all these hacks may be targeted for extortion attacks and other attacks such as spear-phishing and ransomware as many of the victims want their personal information kept private.
What’s the next step?
When a company is faced with cyber security breach, in order to minimize the impact of the breach, the first key point for the company is to stress and reassure the importance of transparency and communication to the customers. Customers want to be kept in the loop as well as to be able to trust the company to handle the after-impacts of a security breach.
“It’s pretty interesting, but the reason for the mistrust (of victims) wasn’t because they got hacked. It’s about trust. People know that people get hacked. Everyone has been part of a hacking incident.” – J.J. Thompson, CEO at Rook Security, on the 2013 Target breach.
Instead, the victims were more upset that Target did not seem sure about the details of the breach, bearing in mind that people can be very reactive. The challenge for companies are to know what is stolen before it is stolen, as it is important to have both threat response systems and content control. By doing this, the company will have the knowledge and be able to make an accurate disclosure.
To reassure their customers, Target claimed it “began investigating the incident as soon as we learned of it” through a “leading third-party forensics firm.” The company said it also notified banks and law enforcement. To compensate customers for fraudulent transactions, generally a company will have to owe money to credit card companies such as Master, Visa or American Express. In the example of the Target case, the company said it would offer affected customers a free credit monitoring service and set up a telephone hotline. Target also offered a store-wide 10% discount on a weekend, although retail consulting firm Consumer Growth Partners estimated that customer transactions at Target stores still declined on Saturday compared to the same weekend last year.
Who’s to blame in the company?
Generally, it is difficult to find one scapegoat the company could gladly point their fingers to during a data breach. The common people often held responsible in the organisation for a data security breach would be the CEO, CFO or the CIO. However, some companies are planning to expand their cyber-security to chief information security officers (CISO), to give a named individual responsibility for heading up the security effort. As such, the blame game should not only be held accountable to the CEO but it is every employee’s responsibility to look after security. Most certainly, the IT department ought to be actively involved in addressing and fixing the problem but in terms of prevention and identifying those risks, it is the responsibility of every employee. But due to the size of the company and the complexity of the hack, it is not easy to pinpoint someone specific to be accountable. Consumers on the other hand want individuals in the company to be culpable for their supposed security failures and even wanting security officers to face jail time. The challenge for companies is that they face a constant battle of being targeted by cyber-criminals frequently these days, and employers as well employees have no hiding place in the aftermath of a data breach. Even after everything has been settled, shareholders and consumers would likely want someone to be held publicly accountable in order for them to carry the company then onwards by rebuilding the company’s tarnished reputation.
Long run effects of a breach
The effects from the data hack will be felt by the company even in the long run as they would endure damage to the company’s reputations. People tend to loose trust in companies which have suffered cyberattacks or data security breach which leads to loosing potential customers for the company. Often, a single data breach can bring about ripple effects to the company for years to come.
For instance, after the Sony Pictures hack, Sony not only had to pay for the cost of damages, but also sell its Vaio computer business and to split off its TV division, to have it run as wholly-owned subsidiary. Additionally, the decline in Sony’s mobile business due to the breach had resulted in a massive number of job losses among Sony’s employees, with the company specifically laying off 2,100 smartphone division jobs by end of March 2016. The Sony Pictures hack had even escalated to an international political standoff between United States and North Korea after U.S. offficials’ allegations that North Korea had been behind the cyber-attacks of Sony Pictures. The total sum of damages for Sony in this whole breach (which covers “investigation and remediation costs”) is said to have reached $15 million.
In the end…
Accountability starts at the top of any organization. Breaches can still occur because of human error, and new defences will always need to be built. If no one owns data security and privacy, then the company has no serious plan to defend and protect its greatest asset.
“Cyber-attacks are not going to go away, and we’re going to see more of it.” – Tony Scott, U.S. Chief Information Officer.
 Business Insider
 Wall Street Journal
 Dark Reading
 The Washington Post
 CNN Money