Daily Archives: February 8, 2016

There’s a lot of debate about how much data breaches and hacks cost companies – except when there’s not, as with the hack of UK firm TalkTalk, which put the cost at around $88 million.

Posted on February 8, 2016 | 2 comments

 

talktalk-data-breach-hack-costs-88-millionOne of the big questions that bedevil corporate executives is how much a cyber “incident” might cost the company. Indeed: the “cost of breach” as it is often termed is the subject of determined study by folks like The Ponemon Institute (and sponsors like IBM), as well as Verizon, consultancies like Kroll, and so on.

The question isn’t academic. Knowing how much a cyber incident will cost your company helps executives, board members and staff “price” risk and justify expenditures on security software and services.

But the surprisingly simple question of how much malicious cyber activity costs belies a surprisingly complex puzzle. Incidents like a denial of service attack might be easy to price: just figure out how much money you make from being online (if you’re an online retailer like Amazon.com, that’s a big number), then figure out how long the DDoS attack took you offline, add in the cost to get back online, investigate the incident and remediate, and you have it.

With other kinds of attacks – like data theft – the question is a lot more difficult to answer. Few public firms disclose “material” cyber incidents that affect them, even though the law in the U.S. would seem to mandate it. Some of the biggest cost drivers of breaches – like credit monitoring for affected customers and employees – end up costing much less than you would think. And, while corporate boards may be bracing for more cyber regulations that impost costs on breaches and data theft, there’s been little progress on that, at least at the federal level, nor is there likely to be any in an election year.

But there’s no doubt that hacks and other incidents do cost companies considerably and, every so often, the curtains part to give us a glimpse of how significant those costs are. That’s what happened this week in the case of UK telecommunications firm TalkTalk.

As you may recall, TalkTalk was the victim of a cyber attack in the final months of 2014 that resulted in the theft of personal data on 150,000 customers, including names, addresses, phone numbers and TalkTalk account numbers. At the time, the company said that some of that data was used in follow on attacks aimed at extracting bank account and credit card information from victims.

Subsequent reporting suggested that the company was the victim of a distributed denial-of-service (DDoS) attack coupled with a SQL injection attack against application servers containing customer data.

According to a report on Tuesday, however, we now know how much all that malicious activity cost the company: $88 million at current exchange rates.

Where did that figure come from? TalkTalk said that most of the costs were only indirectly linked to the breach. For example, the company lost 101,000 customers in the months following the breach, 95,000 of which it estimates were because of the hack.

It should be noted that those costs are much higher than the $35 million price tag that TalkTalk initially put on the incident, which considered the cost of recovery and additional customer support.

Is this important? It should be: firm data on the cost of hacks is notoriously hard to come by and, absent strong federal legislation in the U.S., many firms that are the victim of cyber incidents find ways to sweep the details of the incident under the rug. It’s also worth noting that the TalkTalk revelation underscores the cost to businesses of cyber incidents that have little to do with recovery from the incident itself: loss of customers, reputation damage, fines and other penalties all add to the (hidden) cost of incidents. In cases where attackers make off with intellectual property or other sensitive data, we can expect the costs to mount even more.

 

2 Comments

Posted in Data Breach, Hacking, Hacks, Network, Security, Technology

Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees

Posted on February 8, 2016 | 1 comment

FBI

A hacker, who wishes to remain anonymous, plans to dump the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees, Motherboard has learned.

The hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published.

On Sunday, Motherboard obtained the supposedly soon-to-be-leaked data and called a large selection of random numbers in both the DHS and FBI databases. Many of the calls went through to their respective voicemail boxes, and the names for their supposed owners matched with those in the database. At one point, Motherboard reached the operations center of the FBI, according to the person on the other end.

One alleged FBI intelligence analyst did pick up the phone, and identified herself as the same name as listed in the database. A DHS employee did the same, but did not feel comfortable confirming his job title, he said.

A small number of the phones listed for specific agents or employees, however, went through to generic operator desks in various departments. One FBI number that Motherboard dialled did go through to a voicemail box, but the recorded message seemed to indicate it was owned by somebody else. This also applied to two of the DHS numbers.

After several calls, Motherboard was passed through to the State and Local desk at the National Operations Centre, part of the DHS. That department told Motherboard that this was the first they had heard about the supposed data breach.

The job titles included in the data cover all sorts of different departments: contractors, biologists, special agents, task force officers, technicians, intelligence analysts, language specialists, and much more.

The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter).

“I clicked on it and I had full access to the computer.”

From there, he tried logging into a DoJ web portal, but when that didn’t work, he phoned up the relevant department.

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

The hacker says he then logged in, clicked on a link to a personal computer which took him to an online virtual machine, and entered in the credentials of the already hacked email account. After this, the hacker was presented with the option of three different computers to access, he claimed, and one was the work machine of the person behind the originally hacked email account.

“I clicked on it and I had full access to the computer,” the hacker said. Here the hacker could access the user’s documents, as well as other documents on the local network.

The databases of supposed government workers were on a DoJ intranet, the hacker claimed. It is not fully clear when the hacker intends to dump the databases.

The hacker also said that he downloaded around 200GB of files, out of 1TB that he had access to.

“I HAD access to it, I couldn’t take all of the 1TB,” he said. He claimed that some of the files’ contents included military emails, and credit card numbers. This supposed data was not provided to Motherboard.

This is just the latest in a series of hacks targeting US government employees. Back in October, hackers claiming a pro-Palestine political stance broke into the email account of CIA Director John Brennan. This was followed by a prank, in which calls to the Director of National Intelligence James Clapper would be forwarded to the Free Palestine Movement.

The Department of Justice did not respond to Motherboard’s request for comment, and the FBI was not reachable. Motherboard provided a copy of the apparent DHS data to the National Infrastructure Coordinating Center (NICC)which is part of the DHS, but it declined to comment. A DHS public affairs officer did not immediately respond to Motherboard’s request for comment.

Update 8 February 2016: After the publication of this article, a Twitter account with a pro-Palestinian message published the apparent details of the 9,000 DHS employees. The account also tweeted a screenshot supposedly from the Department of Justice computers that the hacker claimed to have accessed. List was posted to “cryptobin.org” last night 02-07-2016

1 Comment

Posted in Data Breach, Encryption, Hacking, Hacks, Network, Security, Technology