When companies are vulnerable to cyberattacks, our personal information pays the price. Brendan Garrett asks what should be done to change this.
DESPITE what the latest season of Black Mirror tells you, hackers aren’t all that interested in ordinary people. Contemporary hacker activity is not focused on those with shady pastimes or unsavoury history tabs. No, the typical targets of cybercrime are those based in the sectors of commerce, finance, politics and entertainment, but it is the ordinary person whose information is put at risk.
Examples of cyberattacks have been plentiful in recent years. Be it the Clinton email saga that has been on-going for the last year and is showing no sign of fading from discourse; the Snapchat hack of 2014 which saw the publicising of 4.6 million user’s private photos and videos; or the 2011 hack of Sesame Street’s YouTube channel, an attack that led to the child-friendly channel streaming 22 minutes of pornography.
These were all highly publicised, but apart from this, the hacks have little in common. The range of victims to cybercrime is evidently wide, with institutions and individuals both big and small being targeted.
In Britain there has been a spike in small businesses being attacked by hackers, with 74% of small organisations reporting a security breach in 2015. Many of these cases feature ransomware, software which encrypts all of the files found within a system and requires a key to reverse. The hackers will then sell the key to business owners for amounts typically ranging between £500 and £3000.
Meanwhile, on the opposite end of the commercial spectrum, the new age of corporate espionage has led to the rise of eBay-esque sites which advertise and request the hacking of specific companies. Residing in the seedier parts of the internet, sites such as the recently shut down Enigma, act as a forum for both disgruntled employees and business rivals to exchange access to data stores for money. Examples of such activity include hackers in Eastern Europe breaching Chinese data systems.
“the new age of corporate espionage has led to the rise of eBay-esque sites which advertise and request the hacking of specific companies.”
Geographical borders mean nothing to these online communities and in many cases attacks are made without leaving any tracks. The Ashley Madison hack of 2015, saw 25 gigabytes of company information being stolen, and the only trace of it online is one Enigma user, named Diablo, requesting access ASAP, advertising it as a “big job big opportunity”.
But why are these attacks not prevented? With weekly stories of new hackings one would presume companies not yet affected would sign up for comprehensive software protection, however the truth seems to indicate the opposite.
For example, Target, which is the second-largest discount retailer in the US, fell victim to a cyberattack in 2014 that resulted in 110 million customers’ personal information and credit card details being leaked. This attack was instigated by malware, which was first sent by email to employees of Fazio Mechanical, a firm which installs heating and ventilation for Target.
“Personal information is shared so freely these days that the idea that that very information is being protected is often overlooked.”
This virus was then latently transported by email into the larger corporation’s system. Target’s malware protection system failed to detect the attack. In fact Fazio Mechanical was the first to point out the breach. The reason for this is that Target, which this year came in at number 38 on the Fortune 500, used a free anti-malware programme to defend against attacks. One that does not provide real-time protection but rather on-demand scans, and more importantly one whose license prohibits corporate use.
If a company, which saw $3.4 billion as its 2015 revenue, is resorting to use free malware protection software, we can assume that they are not alone. There is a huge chance that other companies which have a stake in the S&P 500 are leaving their online defences wide open.
Personal information is shared so freely these days yet the protection of that very information is often overlooked. This is a presumption which companies have taken advantage of, but will not be able to do so for much longer.
“One would presume companies not yet affected by hackings would sign up for software protection, however the truth seems to indicate the opposite.
The EU has brought in the General Data Protection Regulations, which come into effect in 2018. This new statute could result in companies being fined either €20 million or 4% or their annual turnover if they allow data breaches to compromise customer information, thus incentivising businesses to run a tight ship with their security protocol.
In the US, President Obama proposed the Personal Data Notification and Protection Act last year, which would give companies that have been victimised by a data breach 30 days to let their customers know of the attack.
Seeing as the EU regulation will not take effect for another two years, Irish customers will be left vulnerable until 2018. With no law being in place that requires hacked companies to notify their customers of the breach, the likes of Dunnes, Paddy Power and Irish Rail, complete with all of their customers’ credit card information could already have been victimised by cybercriminals. And still, the consumer remains none the wiser.