Part 1 of 2 – This is the first in a two-part series looking at the current state of cyber protections in light of recent hacks, data breaches, and cyberwarfare.
Attacks on private personal and financial information have not decreased since Bates Research last reported on the headline-grabbing data breaches of Uber and Equifax, and the governmental data breach of the SEC’s EDGAR filing system. In the corporate attacks, financial information of some 57 million and 147 million individuals, respectively, was put in jeopardy. The hack into the EDGAR filing system (which handles more than 1.7 million filings a year) was startling. It was an indicator of the vulnerability of the very governmental agency entrusted to uphold the safety and integrity of the financial services industry.
In the wake of three new dramatic data breaches, including the Facebook/Cambridge Analytica scandal that compromised sensitive personal information of over 87 million users, a ransomware attack against the City of Atlanta that is still affecting city services, and the outright theft of as many as 5 million credit and debit cards from Saks and related retailers (not to mention Under Armour–50 million accounts and now Panera–37 million accounts), cyberthreats seem far from contained.
Since the Equifax, Uber and EDGAR attacks, federal legislators have held hearings promoting legislative fixes, agencies and state Attorney Generals have initiated investigations, and regulators, most notably new SEC Chair Jay Clayton, have announced major new regulatory initiatives.
Today, Equifax is still investigating and coping with its breach. In addition to replacing its CEO, contending with numerous investigations and lawsuits and promoting new products and services to regain some confidence from its customers, the company continues to make missteps as it struggles to gain control over the consequences of the breach. Uber is facing a flood of lawsuits and investigations both nationally and internationally. The latest action against it, announced only days ago by the Pennsylvania State Attorney General, seeks to hold the ridesharing company accountable not just for its failure to disclose the breach, but also for the active efforts it took to hide the breach from consumers.
Two years after the EDGAR breach, SEC Commissioner Michael Piwowar just recently disclosed that the agency is looking to hire a chief risk officer who will focus on its cyber defenses. He lambastedCongress for failing to fully fund Chair Jay Clayton’s requests for a budget increase to address cybersecurity issues. As Bates noted earlier in his tenure, SEC Chair Clayton made cybersecurity one of his top priorities for the agency. To date, there has been no full accounting of the extent of the EDGAR breach or a definitive statement on whether the breach impacted trading.
If those past cases highlighted the vulnerability of both private corporations and public institutions, these newer, high-profile cases are current reminders of the evolving sophistication and changing motivations of the attackers.
Facebook’s violation of its user’s data is a far more complicated story than a simple case of direct hacking. (View a good visual explanation here.) Though the bottom line impact on users is fundamentally the same–the theft of personally identifiable information of millions of people–the Facebook scandal has far deeper implications for future regulation of the entire social media marketplace.
For sure, money was a key motivator in the Cambridge Analytica manipulations, as was charged in the recently-filed class action suits against the company. (See also this letter directed to Facebook from States’ Attorney Generals, asserting their jurisdiction over harmed constituents, as well as this public statement by the Acting Director of the FTC’s Bureau of Consumer Protection concerning Facebook Privacy Practices.) However, Cambridge Analytica’s use of the data for political and other purposes is a new kind of non-pecuniary motivation that suggests that future attacks may be harder to track and prevent.
The City of Atlanta breach has been categorized as a ransomware attack, since it targeted municipal systems for money. But the amount of the extortion, about $51,000 in bitcoin, suggests that if treated as a simple ransomware attack, regulators may miss the broader implication. Instead, it has been argued, this breach should be treated as a threat to “business continuity” rather than as a threat to privacy or citizen/customer trust. For legislators and regulators drafting new rules, these are important distinctions.
Based on the available facts, the attack on retailers Saks, Under Armour and Panera are a reminder that, despite the increasing sophistication of both motive and execution, there remains a continuing vulnerability to the kind of breach that should be preventable by now, through corporate compliance and the application of best practices.
Next week, we will take a look at the evolving legislative and regulatory landscape intended to address these cyber breaches.