It must mean something when the latest report of cyber attacks could easily appear on the front page of a supermarket tabloid newspaper. One can imagine a hypothetical headline:
“Hot Hacks Hit Hollywood!”
The reference, of course, is to recent reports that as-yet-unidentified crypto-criminals broke into the Apple accounts of several famous actresses and posted their intimate photos online without authorization.
The immediate fear was that the hackers somehow breached Apple’s cloud systems, but that was quickly discounted. The bad guys simply, but very determinedly, attacked individual accounts of people whose background information could be unearthed relatively easily.
Almost simultaneously came word that Home Depot fell victim to a whole different sort of cybercrime, in which massive numbers of credit and debit cards reportedly were stolen and placed on the black market. This latest attack is more in line with previous payments breaches associated with Target and other retailers.
Hammering Home Depot and Hacking Hollywood
The implications of these two cases have some commonalities:
1. Vulnerability. They make abundantly clear just how vulnerable we all are to digital criminals. Crooks can reach not only into our boudoirs but into hardware habits.
2. Common Sense Precautions. They move the dusty subject of protecting and changing passwords away from what old Uncle Ed might have talked about over dinner, to what the slick television news anchors now are talking about. (Editor’s Note: Not to mention what Dad might have said about stupid selfies.]
3. Final wakeup call? The two incidents underscore that it’s no longer just a matter of educating consumers, or even criticizing consumers for being apathetic about their own security. It really is the responsibility of retailers as well as individuals, and by extension, the financial institutions that ultimately bear the brunt of such crimes, to take online security seriously.
As an example, take the celebrity photo hack.
Bloomberg News reporters Jordan Robertson and Adam Satariano, in a recent article, illustrate that user names, passwords, and security questions just aren’t enough anymore. They point out that in, unrelated cases, Sarah Palin’s Yahoo! account was hacked because someone looked on Wikipedia to find her birth date. Also, Paris Hilton, in another unrelated case, was hacked because the intruders easily found out her dog’s name. The reporters quote Brian Finch, a Washington D.C. lawyer, who says: “So much of cyberattacks can occur because the internet and so many services are built for reliability first. Security is a far lower consideration.”
For its part, Apple says in a statement that “We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the internet.”
That these particular individuals were famous might have made the personal information gathering, or what’s termed “social engineering” in the security trade, a little easier than that of ordinary citizens.
With all the information banging around the internet and in social media on all of us, none of us is safe.
In the Home Depot case, the lead reporter/investigator is Brian Krebs, a former Washington Post reporter and now publisher of an influential blog called krebsonsecurity.com. He not only broke the news of the breach but subsequently correlated the Zip Codes of all the recently put-up-for-sale cards with the presence in those areas of Home Depot stores.
As he explains it, what this means is that the criminals who will buy these cards—or their information—would want to use the individual cards at the stores close to where the legitimate users likely reside. In this way, they’d have a better chance of slipping past protective systems that might detect anomalies. For example, while a system might catch someone using a California card in Florida, it might not catch someone using a card in-state.
Digital breaches: dry in third person, scary in first person
To be sure, there is plenty of the dry and dusty research on digital breaches, much of it quite recent. Here’s a sampling:
• DDOS attacks. Over the past year 41% of organizations globally were hit by distributed denial of service attacks, and three fourths of these were hit more than once, says BT Security. (DDOS attacks often are used by cyberthieves to get past overloaded or distracted security systems.)
• Now back to your regularly scheduled breach … In the first half of 2014, more than 375 million customer records were stolen or lost as a result of 559 breaches worldwide. In each of the last four consecutive quarters there has been one major data breach in which more than 100 million records were exposed, says SafeNet Inc.
• Rising consumer awareness. 54% of online shoppers feel that they are more conscious of their security online compared to 12 months ago, following the string of high-profile security breaches, says eDigitalResearch.
• Increasing consumer skepticism. U.S. consumers have little faith that companies are able to keep their personal data safe, with almost a third saying that no industry segment does a good job, says Radius Global Market Research.
Regarding this last bit of research, Radius did find that in general financial websites out-perform other industries in keeping information safe, with 25% of respondents saying they do the best job. At the other end of the spectrum, operating systems and social media sites are not perceived very highly with securing personal information.
“Consumers made it clear that a perception of poor security practices is reason enough to stop doing business with a brand. Clearly it is not enough to have a good track record. In this environment brands must adjust communications to merchandize ongoing efforts in order to establish and keep trust,” says Jamie Myers, Radius director.
The final word, from Tsion Gonen, chief strategy officer, SafeNet:
“Data breaches are not just breaches of security. They’re also breaches of trust between companies and their customers, and can result in not only negative publicity but lost business, lawsuits, and fines that can threaten the viability of the business. For organizations that fail to address their security vulnerabilities, the problem is only going to get worse.” (Emphasis added.)
It will be interesting to follow exactly how Apple, Home Depot, and no doubt other big name brands, react to and recover from such negative publicity.
Sources for this article include: