Cyber attacks should never be taken lightly. N.E.V.E.R.
The gravity of these attacks is so massive that it may even lead a person to the point of DEATH. (Note: I am not exaggerating. Read on and you’ll know what I’m talking about.)
Allow me to share with you three cybersecurity horror stories that you can learn from.
Since you’re just starting your company, I hope the stories you’ll read will compel you to take cybersecurity seriously.
After all, with all the news about government websites or blue chip companies getting hacked here and there, there’s no reason for you to think that you’re safe from these attacks.
Sony Pictures cyberattack
On November 24, 2014, Sony Pictures fell prey to a widescale system attack. Hackers’ malware rendered erased half of Sony’s global network, rendering 3,262 of its 6,797 computers and 837 of its 1,555 servers inoperable.
The hack displayed a warning message stating that the hacker group called themselves the “Guardians of Peace.” The hack also revealed a part of the sensitive data that was obtained during the hack.
In the days following the hack, the group started leaking confidential files and unreleased films onto public file-sharing websites on the internet. This information disclosure included unfinished movie scripts, mortifying emails, salary lists, and even more than 47,000 Social Security numbers.
In response to this, Sony quickly established internal teams to manage the data leaked and lost to the internet.
The entertainment company also contacted FBI and FireEye (a publicly listed cyber security firm) to help protect employees with exposed personal data, repair the damaged systems infrastructure, and trace the source of the file leak.
On December 16, 2014, the Guardians of Peace threatened to take terrorist actions similar to the 9/11 attacks if the film “The Interview” (which was then up and coming) is released in theaters.
Following the primary threats, several theater chains announced that they would not screen the movie.
In response to this, Sony abandoned their national Christmas release date for the movie and instead made it available only in about 300 mostly-independent theaters and through video on demand.
For the first quarter budget of 2015, Sony has set aside $15 million to deal with the devastating hack it suffered the last year. As a result of this, Sony fortified its cyber security infrastructure with solutions to avoid possible future data losses and hacks.
The hack’s aftermath led to Sony co-chairperson, Amy Pascal, announcing in February of 2015 that she was “fired” by the company and that she would step down in May 2015, and that she would be more invested instead in the film production aspect of the industry.
Target data breach
Before Thanksgiving of 2013, hackers installed a malware in the security and payments system of Target that has a reach covering 1,797 company stores in the United States.
The eventually identified hacker tool, called “BlackPOS”, is a malicious software created by a 17-year-old Russian from St. Petersburg that was sold throughout Eastern Europe.
This malware uses easy passwords to remotely hack the registers of stores, allowing sensitive information from the credit card of shoppers to be captured onto the commandeered Target servers whenever it gets swiped.
On November 30, 2013, hackers uploaded an exfiltration software to move the stolen information out of the servers and onto staging points around the U.S. to hide the trail, and then move the data from these locations into their computers in Russia.
Here’s the twist: Target previously invested $1.6 million on a malware detection tool from a cybersecurity firm. This investment also included a team from Bangalore who would alert the retail chain whenever they would spot a hack.
The cybersecurity firm alerted the Bangalore team about the detected malicious software uploaded, who then flagged the company’s security team in Minneapolis and passed on to them the alert. Target responded to this notification by doing… nothing.
On December 2, 2013, credit card numbers began flowing out of the company’s compromised servers. Target, however, failed to act despite being aware of the hack.
Only after being warned by federal investigators on December 12, 2013, about the data breach did Target confirm the event and eradicate the malware on December 15, 2013.
However, their act was too late, as about 40 million credit card numbers have already been stolen from the servers.
In the wake of the hack, Target is left with over 90 lawsuits and about $162 million in data-breach related expenses across 2013 and 2014.
On May 2014, the retail chain announced that Gregg Steinhafel — the company’s CEO, president, and chairman — held himself personally accountable for the data breach and stepped down from all positions.
Ashley Madison leak
A hacker group that calls itself “The Impact Team” revealed on July 15, 2015, its cyber attack on extramarital affair dating site Ashley Madison.
The group threatened to expose the identities of site users if Avid Life Media (it’s parent company) did not take down Ashley Madison and Established Men (it’s sister sites).
The site has a policy of not deleting its users’ information, which includes credit card transaction records, search histories, home addresses, and real names.
The company requires email account owners to pay a $19 fee for profile deletion, to which hackers allege Avid Life Media receives up to $1.7 million per year from this practice.
The first batch of customer names was released on July 22, 2015, with the rest of its user data leaked on August 18, 2015. This information was released via BitTorrent as a 10-gigabyte compressed archive.
More data from the breach was released on August 20, 2015, which includes 12.7 gigabytes worth of corporate emails from the company.
Around 1,200 Saudi Arabian email addresses were revealed in the leaked database. This disclosure was concerning since adultery is punishable by death in the country.
During the days that came after the attack, extortionists began targeting people who had details included in the link. A chain of leak-related suicides soon followed after the two data dumps online.
As of August 2015, Ashley Madison is facing a $576 million class-action lawsuit due to the data breach. The legal action was filed by Canadian law firms Charney Lawyers and Sutts, Strosberg LLP.
One thing we can learn
The value of practicing safe cyber security hygiene cannot be emphasized any less.
Protection against system breaches should never be taken lightly by companies since being hacked could cause catastrophic consequences.
If you own a small or medium enterprise without any real defense programs, you may be at risk of a data breach. Safeguard your business by learning more about startup cyber security today.